Empowering users to make informed decisions on the value of sensitive data
Awareness days are a great way to raise the profile of important issues that might otherwise go unnoticed and Data Privacy Day is no different. Held annually on January 28, Data Privacy Day encourages everyone to make protecting privacy and data a greater priority.
In 2014, there aren’t many businesses that don’t have some form of online presence, whether that’s e-commerce, social media, websites or even just corporate networks. With ever-increasing volumes of data to handle, the proliferation of communication channels and devices for accessing them, and the need to provide ready access to systems for customers and partners, organisations need to find more effective ways to protect their data. The continuous flow of data is an on-going security challenge for organisations that, by law, must protect sensitive personal data such as customer names and records from being leaked or lost.
During the past year alone there have been countless headlines about high-profile organisations losing data or inadvertently making sensitive information public. External threats to data are well-documented and generally well-understood, but in reality organisations must not only contend with cybercriminals, they must also deal with the “insider threat’, that is, the risk that their own employees and other stakeholders pose to their data security.
Again, headlines such as those generate by Edward Snowden last year mean that most people are aware of the threat posed by insiders who intend to leak information, but not all data leakage incidents are due to malicious activity, many are simply down to human error. An unfortunate auto-complete in email addressing can cause just as much damage as a whistle-blower. According to a recent Forrester report, inadvertent misuse of data from insiders topped the list of breach causes in 2013, at 36% of breaches. In the public sector and healthcare industry this percentage jumps to 44%.
Whilst everyone makes mistakes, it is the organisations and their officers that are penalised, so they must put in place robust strategies and technologies to ensure that sensitive data is not inadvertently lost or leaked. Many organisations are subject to regulations requiring them to protect data, enforced with penalties such as fines which, although painful for the bottom line, pale in comparison to the financial and reputational damage caused by the news of the breach and subsequent market reaction.
The 2012 Ponemon Institute “Aftermath of a Data Breach’ report quantified some of the key consequences of a data breach – 50% of respondents reported a loss of productivity, 41% reported a loss of customer loyalty and 25% reported a decline in company share price. In their 2013 report, Ponemon noted that human errors and system problems caused two-thirds of data breaches in 2012 and pushed the global average cost to $136 per record lost.
One of the best ways to ensure that data is effectively protected is through data classification. Data classification empowers users and businesses to assign a value to the data they create and handle so that informed decisions can be taken about how it is managed, protected and shared. A safety net is established helping prevent sensitive data from being distributed in error and enforcing data security policy and best practice across the organisation. Indeed data classification is cited as being one of the top IT security priorities for the next 12 months according to reports – with 15% stating it is business critical and 41% a high priority.
User-driven data classification captures the user’s knowledge of the context and business value of the data, which is then stored as visual and metadata labels on messages and documents, and can range from as simple as “Confidential’ labels to complex national security driven data classifications. This means that the user’s assessment of the importance of the data can travel with it, so that everyone handling that data is clear as to its sensitivity and safeguarding requirements.
Involving a user in the process of identifying and classifying data increases their understanding of the nature of such content and its safeguarding needs. One large Financial Services client of ours explained that they had specifically looked for a data classification solution that would be visible to their employees, so that they would be involved in and aware of data classification and their obligations around protecting valuable data. They actively sought to use their employees to safeguard their data, rather than be passively defended by a host of background data security products.
Employees have to interact with partners and customers for a business to succeed. They are the front line of the business, but without adequate training and education they will also become the weakest link.
Data Privacy Day is a great initiative to highlight and educate businesses on the importance of good data security practices, but the responsibility for educating staff will always remain firmly in the hands of the company. Technologies that empower users to take ownership of secure practices, such as data classification, will help organisations succeed where so many others have failed.