Light Dark
November 6, 2014 By Martin McKeay 2 min read
Data Protection
Risk Management

What’s the value?

Data classification is hard.

When I was working in the realm of credit card data as a Qualified Security Assessor (QSA), one of the things that I always found interesting was how companies protected their credit card data versus the rest of the data in their organization. Often, businesses had placed many additional controls around the credit card data than around other data, mostly because of the requirements from the Payment Card Industry. However, when you look at the value of a credit card number, what they were protecting was the costume jewelry of data.

Instead, it should be the crown jewels of their enterprise, such as the key intellectual property and business intelligence that makes their business valuable. Why does a corporation spend so much on protecting costume jewelry and yet leave their crown jewels relatively open? Because they can’t tell the difference between the two.

What are the crown jewels? As Erkang Zheng puts it, they’re the “.01 to 2 percent of data that determines whether your enterprise will survive and thrive“. In other words, a tiny fraction of the data that is responsible for a huge portion of the value for the company, often up to 70% of the whole value of all the data in the company. Think of the communications between executives detailing the next corporate purchase or merger, or the details surrounding the next big project or product.

Businesses invest major amounts of money to develop these plans and the details can be worth millions to a competitor, but if they’re not protected any better than a credit card number that’s worth pennies, you can guarantee a motivated attacker could get to them.

Why aren’t we hearing about compromised intellectual property?

We’ve been hearing about the compromise of credit card and personal data for several years now, but we haven’t heard how many corporations have lost key intellectual property to attackers. The reason is simple: there are a number of laws around the globe that require businesses to disclose leaked credit card numbers but few, if any, that require businesses to disclose the leakage of intellectual property or trade secrets. In fact, it’s detrimental to the stock price of most businesses if they do disclose, making it very unlikely that any are going to willingly tell the public of a breach.

I have an analyst friend who once told me that most Data Leak Prevention (DLP) fails when it comes to the data discovery and identification step in the project. I think in large part it’s because most data classification efforts are started from a technical standpoint and try to shoehorn business processes into a system chosen based on the needs of a security team.

What should be happening instead is that the security teams understand the needs of the business, how the organization creates and manipulates data, then choose the solution that best fits the business needs. Make the selection of technologies one of the last steps.

Continuous review

Finally, the most important part of data classification and protection is the realization that it’s a continuing process, not something that can be done once and forgotten. It requires the enterprise to incorporate data classification into the daily procedures that make the business run. If the business loses sight of where the crown jewels are and why they’re being protected, they might just get stolen next time someone does a raid on the costume jewelry.

 |  |  |  | 
Martin McKeay
Security Advocate

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature