Although all businesses handle data, data classification strategies vary from one organization to the other. How you decide to label and classify your data may depend on a constellation of factors, starting with what type of data you have.
In general, you’ll find that you have both external and internal data (also called public and confidential). However, not all data is created equal and some pieces will require more protection than others. How you determine what data needs special attention in your information security program will impact the way you organize and store your data.
Modern companies all handle a tremendous amount of data. We may have customer payment information, invoice records, email lists, order history, user data in software, or so many other bits of information. Companies need to keep this data organized and secure, but also accessible to the people who need it.
Data classification is an essential step for assessing risk at your company and creating a comprehensive information security strategy. You need to know what is your most sensitive data and where that is kept.
Here are a few best practices to consider when classifying data in your business.
Internal data originates within your business and is typically generated as a result of regular business activities. Unlike data gleaned from external sources, internal data involves sources of information that aren’t available to the public. It must be protected due to proprietary or ethical considerations. This would include things like trade secrets or health data regulated by HIPAA. Only people with a legitimate reason to access it should be able to do so.
Internal data is what most people think of when discussing business intelligence. You can break your internal data down into three different categories:
General internal data is information that is private because it simply isn’t relevant to the public. For example, internal data might include the company’s electricity usage for the building, its printer meter data, employment data that doesn’t involve identifiable information, or the identity of suppliers where a confidentiality agreement doesn’t exist.
In general, this sort of information likely doesn’t have any laws requiring its protection, but must be protected from unauthorized access, modification, or transmission to retain business integrity. Disclosure of this information would be inconsequential but might look bad for the company.
Best Practice: To prevent embarrassing mishaps or data breaches, encourage a culture of security in the workplace. Conduct security awareness training and encourage employees to take security seriously, no matter how trivial a piece of information may seem.
The US Securities and Exchange Commission defines confidential information as non-public information that concerns any aspect of a company or the affairs of the party supplying the information that isn’t publicly available. In other words, it is information intended to be used by the business, for business purposes, and includes sensitive information related to the business or the provider. Some examples of confidential information under the SEC include:
Confidential data must only be accessed by individuals with a legitimate reason, may have authorization requirements, and likely has laws governing its collection, use, storage, and transmission. The General Data Protection Regulation of the European Union is one such example of a law governing personal confidential data.
Best Practice: When it comes to confidential information, use a Zero Trust security model. Require users to authenticate themselves before connecting to internal networks or accessing systems containing confidential information.
Regulated or classified materials are a subset of confidential information. These are pieces of data subject to regulatory compliance, such as HIPAA or another set of legal mandates. Breaches to this type of data will be accompanied by fines, penalties, lawsuits, or business damage.
Because of these serious consequences, it’s worth separating these in your data classification. This type of data may require specific types of storage, security, or transmission through specific channels. You should have strict policies regarding who can access classified data.
Best Practice: Perform frequent assessments on regulated data and the technology used to collect, manipulate, transmit, or store it. Updates or changes to technology may render a service non-compliant without notice. (This happens a lot with cloud services.) Ignorance is not an excuse for non-compliance.
External data is generated either outside the company or within the company, but it’s generally publicly available for anyone who goes looking for it. There are many different sources for external data. Typically, these sources include things like surveys, research, customer feedback, and/or open sources like industry news blogs.
Possession of this data is frequently overlooked by companies and security information programs. According to a survey by The Silicon Review, 65 percent of respondents felt that external data was less valuable than internal data.
However, external data is critical to understanding your customers, market, and industry. It’s what provides context for internal data and empowers a company to differentiate itself in the competitive landscape. Therefore, it’s important to classify and protect data that a company collects from external sources.
External data can prove just as important to your company as much as internal data. However, it comes with its own set of challenges. Ensure that external data remains useful to your company by considering classification systems that include:
Good data classification is a foundation for keeping you company’s data organized, accessible, and useful. While there are many different dichotomies and ways to classify data, most companies will handle some sort of mixture of external/public or internal/confidential information. Additionally, internal data may occupy different levels of confidentiality, particularly once regulatory compliance enters the picture. Choose the classification system that best works for your data, and help it stay secure.
Need more help figuring out how to classify data at your company? Reach out to our team and learn how we can help you assess risk and build an information security program so good it will build trust and win customers.