It is extremely difficult, in a digital-enabled world, to keep track of all the data your organisation creates and gathers every day.
IBM calculates that nine-tenths of all the data in the world has appeared in the past two years alone. Others believe that we will live on a planet that contains 40 zettabytes of data by 2020 – which we estimate would be enough reading material to fill 50 billion human lifetimes.
So how do you find your crown jewels and your most sensitive data among those bytes? What constitutes high-, low- and medium-risk data? And against which cyber threats – from state-sponsored agents at one extreme to disaffected teenagers on the other, with organised criminals, disgruntled employees and ‘hacktivists’ in between – should you prioritise defence?
First of all, it is unrealistic to try to rank every spreadsheet, archived email or data file your organisation holds. And you cannot fully automate the process: there are tools that support data management and e-discovery, but human judgement is always required at some point. Ultimately, you need to ensure that your senior managers and risk personnel actively consider the different kinds of data they own – this way, they can isolate the assets that need to be looked at more closely.
“We’ve created questionnaires so our personnel can make a decision themselves,” says the VP of technology at a global bank. “It’s subjective. At the end of the day, it’s a person making a decision.”
In the following chapter, we recommend practical ways to ensure that your employees engage in this activity. But what should they be flagging?
Many organisations adopt a dynamic model that evaluates data according to confidentiality, integrity and availability (CIA), and can be tailored to reflect changes in the data’s importance or relevance over time.
“Board strategy papers are confidential until the time they go public and need to be protected,” says Manu Sharma of Grant Thornton UK, explaining the CIA approach. “For integrity, the information may be available to everyone but it has to be accurate – the share price from the New York Stock Exchange is a good example. Availability is whether people who need the data can get it and use it, like marketing lists.”
Another way to identify your most critical data-related risks is to think like a hacker and then consider the maximum damage they could cause.
“The current environment of information security is consistently evolving with new threats and vulnerabilities”, says Vishal Chawla of Grant Thornton US. “Leaders have to be willing to step into the shoes of cyber criminals, understand the threats these groups pose and come up with proactive strategies to protect their business’ interests.”
Which email threads could a former employee leak to embarrass their former managers? What intellectual property and trade secrets would be of interest to a foreign power? And how might a cyber criminal use your data to try to extort money from your business? These are just some of the questions you need to ask.
