Light Dark
February 15, 2018 By Paula Musich 3 min read
Data Protection
Risk Management

This is the third installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 2.

As security practitioners look to secure their organization’s crown jewels against data theft, they should consider whether there is a difference in the risk levels for securing structured versus unstructured data. This process starts with defining what exactly the organization’s crown jewels are. Once that is determined, most organizations find that they need to prioritize both structured and unstructured data based on the value they represent.

Structured data, such as data kept in a relational database, is easy to search and analyze. This includes length-specific data, such as Social Security numbers, and variable-length text strings, such as customer names. Examples of applications that rely on structured data contained in a relational database management system (RDBMS) include sales tracking, airline reservation, customer relationship management (CRM), electronic medical record (EMR) and inventory control systems. Structured data within an RDBMS can be easily searched using structured query language.

Unstructured data is just the opposite. It represents the lion’s share of data within any organization, has no predefined schema and uses a variety of formats. Think of emails, audio and video files, social media, mobile data, text files and so on. Unstructured data grows exponentially and constantly streams through your on-premises infrastructure, big data environments and the cloud. It can be stored in diverse repositories, whether they are NoSQL databases, data lakes or applications.

Determining Risk Levels of Structured and Unstructured Data

One thing both types of data have in common is that humans and machines can generate them. They also both represent varying risk levels to the organization. When classifying data, it’s important to consider the value that data represents to the organization and the potential implications of data loss.

For example, intellectual property, which is largely unstructured, is of great value to the organization. The theft of this data by a rival or cyberthieves could eliminate the organization’s competitive advantage and threaten its survival. On the other hand, the compromise of an email exchange about setting up a lunch date represents little threat to the organization, unless it’s between the CEO and another CEO to discuss a potential merger or acquisition. The breach of Colin Powell’s personal email account, for example, exposed a mergers and acquisitions strategy and acquisition targets, thanks to an attachment containing unstructured data in one of many stolen emails.

Structured data, such as transaction, financial and customer data, also holds great value to the organization. Because organizations have long recognized the value of this information, and because regulatory mandates require certain controls to be put in place to protect it, they have done a better job of securing structured data. The bigger issue arises when structured data is taken out of a well-fortified RDBMS and exported into a spreadsheet, cloud or partner system to be manipulated and shared with others. Once outside the existing security controls for the RDBMS, it is much harder to monitor and secure this data.

Related: Data Risk Management in 2018: What to Look for and How to Prepare

Unstructured Data Is an Easy Target

Cybercriminals are aware that critical unstructured data is a much easier target for theft than structured data that is protected by corporate firewalls, identity and access controls, encryption, database activity monitoring and more. Because organizations struggle to understand where that critical unstructured data is, how it is used and who has access to it, it can represent a bigger risk to the enterprise.

In addition, since there is so much more unstructured data than structured data, it’s harder to separate the critical from the not-so-critical to bolster protections around it. At the end of the day, it is essential to secure and control access to mission-critical structured and unstructured data. The process of identifying the data that is most critical to the success of the business will raise awareness of the potential impact of a breach.

Achieving the highest possible level of data security requires continuous monitoring for potential vulnerabilities and threats, combined with advanced protection and deep visibility into potential risks that may affect sensitive business data and processes. The key is to enable conversations between IT, security and line-of-business leaders to improve processes, mitigate risks, and convey meaning and value to executives.

Listen to the podcast: Data Risk Management in 2018 — What to Look for and How to Prepare

 |  |  |  |  |  |  | 
Paula Musich
Research Director

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature