Most organisations already have more information than they can handle and the rate at which this is expanding is staggering – yet many are struggling to understand exactly what that data is, and how to control and manage it. Failure to put the right policies and procedures in place can lead to chaos, whereas the most successful businesses know exactly where their data resides – cloud, hypervisors, storage devices etc. – and therefore what really matters and must be retained.
Which brings us to a basic, and critical, misconception about data: more is not necessarily better. Not all data is created equal, even though it is often managed as if it were! Too many organisations assume that, if the data is already within its walls, it must be performing some valuable function, so they deal with this by buying in more infrastructure. This is not a good idea. Why? Because all of the ‘dead data’ within their remit – the unidentified, unclassified information – simply spreads its tentacles, wearing down the organisation. That data does nothing to drive the business, but simply sits in the passenger seat, taking the business for a ride.
The alternative is far more attractive and beneficial: to transform the data they hold so that it becomes the true lifeblood of the organisation, instead of clogging up its arteries. That means having some manageable form that works into the volumes where the data is created, identifying what matters – and needs to be properly protected – and what can be discarded. Unless an organisation gains such insights, they will be at the mercy of any attacker who might penetrate their defences and gain access to their rich (i.e., valuable) data.
On top of that, there is the upcoming EU General Data Protection Regulation (GDPR) that everyone needs to be aware of, especially where that relates to personal data and how that flows across an organisation. Compliancy and the legal implications of data are thus even more paramount. Businesses found to be non-compliant could be hit with fines of up to 1 million EUR or 2% of annual worldwide turnover (Source: Data Center Journal).
So, rather than slapping a ‘Company Confidential Data’ label on everything, enterprises need to be thinking about what their data is, and its value or otherwise, employing the right analytics to gauge its sensitivity and true value. Equally, when the results of such analysis come through, do they have the appropriate controls over such results in place? Unless they do, the analysis may well be compromised.
A common complaint I hear is that having proper and full control over today’s burgeoning data is just too hard to achieve. One reason many organisations see data this way is that they start from the wrong position: with the technology. Instead, they should start by pinpointing what data really matters and how they are going to use it. Data classification not only creates the right levels of access when applied across the business, it also prevents over-restrictive practices. Only when they have taken proper ownership of their information should they turn to prevention and blocking.
Organisations also need to be mindful of the IT-business conundrum. IT may be looking at data without understanding the wider needs of the business, while business may see it more as ‘an IT thing’. Really, IT should be providing the tools and business the insight. Therefore the processes in place must make it easier for businesses to make decisions and not be expected to become technology experts. This approach works well with Symantec’s own technology, which is tightly built around business process.
A final thought: the reason that Data Loss Prevention (DLP) projects have failed is often because people have started with the technology, imagining this will solve their problems by telling them what data matters to them. But really technology is an enforcer. What organisations must do first is acquire a deep understanding of what their data actually is and how that should be processed. Technology, important as it is, should be the last stage.
I look forward to your thoughts on this topic.