Data Protection February 15, 2018
By Paula Musich 3 min read
Series: What Data Risk Management Means for the Enterprise in 2018

This is the third installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 2.

As security practitioners look to secure their organization’s crown jewels against data theft, they should consider whether there is a difference in the risk levels for securing structured versus unstructured data. This process starts with defining what exactly the organization’s crown jewels are. Once that is determined, most organizations find that they need to prioritize both structured and unstructured data based on the value they represent.

Structured data, such as data kept in a relational database, is easy to search and analyze. This includes length-specific data, such as Social Security numbers, and variable-length text strings, such as customer names. Examples of applications that rely on structured data contained in a relational database management system (RDBMS) include sales tracking, airline reservation, customer relationship management (CRM), electronic medical record (EMR) and inventory control systems. Structured data within an RDBMS can be easily searched using structured query language.

Unstructured data is just the opposite. It represents the lion’s share of data within any organization, has no predefined schema and uses a variety of formats. Think of emails, audio and video files, social media, mobile data, text files and so on. Unstructured data grows exponentially and constantly streams through your on-premises infrastructure, big data environments and the cloud. It can be stored in diverse repositories, whether they are NoSQL databases, data lakes or applications.

Determining Risk Levels of Structured and Unstructured Data

One thing both types of data have in common is that humans and machines can generate them. They also both represent varying risk levels to the organization. When classifying data, it’s important to consider the value that data represents to the organization and the potential implications of data loss.

For example, intellectual property, which is largely unstructured, is of great value to the organization. The theft of this data by a rival or cyberthieves could eliminate the organization’s competitive advantage and threaten its survival. On the other hand, the compromise of an email exchange about setting up a lunch date represents little threat to the organization, unless it’s between the CEO and another CEO to discuss a potential merger or acquisition. The breach of Colin Powell’s personal email account, for example, exposed a mergers and acquisitions strategy and acquisition targets, thanks to an attachment containing unstructured data in one of many stolen emails.

Structured data, such as transaction, financial and customer data, also holds great value to the organization. Because organizations have long recognized the value of this information, and because regulatory mandates require certain controls to be put in place to protect it, they have done a better job of securing structured data. The bigger issue arises when structured data is taken out of a well-fortified RDBMS and exported into a spreadsheet, cloud or partner system to be manipulated and shared with others. Once outside the existing security controls for the RDBMS, it is much harder to monitor and secure this data.

Related: Data Risk Management in 2018: What to Look for and How to Prepare

Unstructured Data Is an Easy Target

Cybercriminals are aware that critical unstructured data is a much easier target for theft than structured data that is protected by corporate firewalls, identity and access controls, encryption, database activity monitoring and more. Because organizations struggle to understand where that critical unstructured data is, how it is used and who has access to it, it can represent a bigger risk to the enterprise.

In addition, since there is so much more unstructured data than structured data, it’s harder to separate the critical from the not-so-critical to bolster protections around it. At the end of the day, it is essential to secure and control access to mission-critical structured and unstructured data. The process of identifying the data that is most critical to the success of the business will raise awareness of the potential impact of a breach.

Achieving the highest possible level of data security requires continuous monitoring for potential vulnerabilities and threats, combined with advanced protection and deep visibility into potential risks that may affect sensitive business data and processes. The key is to enable conversations between IT, security and line-of-business leaders to improve processes, mitigate risks, and convey meaning and value to executives.

Listen to the podcast: Data Risk Management in 2018 — What to Look for and How to Prepare

 |  |  |  |  |  |  | 
Paula Musich
Research Director

More from Data Protection
September 28, 2023

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution?Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task.In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each other. As…

September 27, 2023

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

September 13, 2023

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

August 30, 2023

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature