Data Risk Management, Part 3: Assessing Risk Levels of Structured Versus Unstructured Data
As security practitioners look to secure their organization’s crown jewels against data theft, they should consider whether there is a difference in the risk levels for securing structured versus unstructured data. This process starts with defining what exactly the organization’s crown jewels are. Once that is determined, most organizations find that they need to prioritize both structured and unstructured data based on the value they represent.
Structured data, such as data kept in a relational database, is easy to search and analyze. This includes length-specific data, such as Social Security numbers, and variable-length text strings, such as customer names. Examples of applications that rely on structured data contained in a relational database management system (RDBMS) include sales tracking, airline reservation, customer relationship management (CRM), electronic medical record (EMR) and inventory control systems. Structured data within an RDBMS can be easily searched using structured query language.
Unstructured data is just the opposite. It represents the lion’s share of data within any organization, has no predefined schema and uses a variety of formats. Think of emails, audio and video files, social media, mobile data, text files and so on. Unstructured data grows exponentially and constantly streams through your on-premises infrastructure, big data environments and the cloud. It can be stored in diverse repositories, whether they are NoSQL databases, data lakes or applications.
Determining Risk Levels of Structured and Unstructured Data
One thing both types of data have in common is that humans and machines can generate them. They also both represent varying risk levels to the organization. When classifying data, it’s important to consider the value that data represents to the organization and the potential implications of data loss.
For example, intellectual property, which is largely unstructured, is of great value to the organization. The theft of this data by a rival or cyberthieves could eliminate the organization’s competitive advantage and threaten its survival. On the other hand, the compromise of an email exchange about setting up a lunch date represents little threat to the organization, unless it’s between the CEO and another CEO to discuss a potential merger or acquisition. The breach of Colin Powell’s personal email account, for example, exposed a mergers and acquisitions strategy and acquisition targets, thanks to an attachment containing unstructured data in one of many stolen emails.
Structured data, such as transaction, financial and customer data, also holds great value to the organization. Because organizations have long recognized the value of this information, and because regulatory mandates require certain controls to be put in place to protect it, they have done a better job of securing structured data. The bigger issue arises when structured data is taken out of a well-fortified RDBMS and exported into a spreadsheet, cloud or partner system to be manipulated and shared with others. Once outside the existing security controls for the RDBMS, it is much harder to monitor and secure this data.
Unstructured Data Is an Easy Target
Cybercriminals are aware that critical unstructured data is a much easier target for theft than structured data that is protected by corporate firewalls, identity and access controls, encryption, database activity monitoring and more. Because organizations struggle to understand where that critical unstructured data is, how it is used and who has access to it, it can represent a bigger risk to the enterprise.
In addition, since there is so much more unstructured data than structured data, it’s harder to separate the critical from the not-so-critical to bolster protections around it. At the end of the day, it is essential to secure and control access to mission-critical structured and unstructured data. The process of identifying the data that is most critical to the success of the business will raise awareness of the potential impact of a breach.
Achieving the highest possible level of data security requires continuous monitoring for potential vulnerabilities and threats, combined with advanced protection and deep visibility into potential risks that may affect sensitive business data and processes. The key is to enable conversations between IT, security and line-of-business leaders to improve processes, mitigate risks, and convey meaning and value to executives.