All organizations can take a leaf out of the Government’s book and use data classification to safeguard information, says Colin Tankard, MD of Digital Pathways
All organizations handle sensitive and confidential information, providing them with a competitive advantage. The need to secure that information is more pressing than ever, given the growing sophistication of criminals for whom such data is a goldmine and increasingly prescriptive mandates demanding high levels of information protection.
Governments have long demanded that the information held by their agencies be adequately protected and many have laws in place that restrict access to only those individuals with proper authorization. In some countries, such as the US, data is classified into three levels – top secret, secret and confidential – along with a fourth category, “for official use only.” In the UK, the classification system, known as the “protective marking” system, has long been divided into six classifications.
Reducing Complexity
However, in an effort to reduce the complexity and confusion surrounding the use of each tier, this has recently been streamlined. As of April 2014, the protective marking system has been changed to contain just three levels of classification – top secret, secret and official. Whilst the system does not specify particular security controls, data owners are expected to assess the risks associated with each piece of information and make decisions regarding who should be allowed to access it.
Organizations can also benefit from using these classifications to safeguard information such as intellectual property and confidential communications. Protective marking is useful for preventing the inadvertent or intentional distribution of classified information to unauthorized recipients.
One recent example where protective marking would have helped is the data breach suffered by financial services firm Barclays in February 2014. Some 27,000 files containing detailed information on customers – up to 200 pages per customer – was exposed in one of the worst breaches in banking history. The breach came to light when a USB stick containing a small portion of the information was handed to a UK national newspaper. If the data had been adequately marked, it would have been easy to sift through the forensic evidence and finger the perpetrator.
Best Practice
Protective marking can help in governance and compliance efforts. Any organization looking to achieve certification with the ISO 27000 set of standards for information security management systems is required to classify its information assets according to their value and criticality to business operations. Examples of protective markings include “confidential” or “restricted” as well as “internal” and “public.”
Even when the use of protective marking is not mandatory, organizations that implement such systems will be better able to manage the risks associated with information access throughout the lifecycle of that information – from its creation to long-term storage and eventual destruction. They will then be able to see and control who accessed what data, what they did with it and what the end result was, providing better accountability for how all information is handled.
This where publicity surrounding security breaches can actually do some good in terms of raising awareness. According to the Information Commissioner’s Office, two-fifths of incidents reported to the privacy watchdog are caused by inadvertent loss of data. Such breaches can cost organizations dearly in financial terms as well as harming their reputations, causing customers to jump ship. If employees are made aware of the importance of such incidents and how they could potentially be putting their employer at risk through insecure working practices, they’ll be far more likely to toe the line and adapt to changes, such as the use of protective marking.
A Line in the Sand
Deployment of protective marking solutions does not need to be an onerous task. One strategy is to draw a metaphorical “line in the sand” and decide that any document or email produced from that point on must be marked. Anything created previously is left unmarked unless it is opened, in which case it’ll move beyond the “sand line” and hence will need to be marked.
The process of marking is very straightforward for users. They are prompted to take action and mark the document or email and will not be allowed to save or send if it is not done. This is where some training will be required in order to educate the users as to what may be deemed as “secret” versus “public”. However, in most cases the users fully understand the demarcation of what is sensitive and what is not for the business.
Information is a premium for any organization and keeping sensitive information secure and adequately protected is a must. Wise organizations will implement a strategy of using protective marking now to reduce the risk that they will become the next data breach headline.
Colin Tankard is Managing Director of data security company Digital Pathways who are specialists in the design, implementation and management of systems that ensure the security of all data whether at rest within the network, mobile device, in storage or data in transit across public or private networks.