Why Don’t Companies Recognise Sensitive Data When They See It?

Data Security

A report claims that says IT professionals in 25 per cent of firms claim a lack of understanding about how to classify and manage their data. This is a common problem in most major organisations and is compounded by the steadily increasing volumes of data that must be managed.

The results of the survey – which found there is limited or no understanding of the difference between sensitive information and other data at many of the firms – show that education on data governance issues now needs to extend well beyond IT security.

Managers and financial professionals need to understand that data governance is now a key requirement of most legal and regulatory issues in large organizations, many of whom are struggling to keep pace with the surge in data volumes, as well as the increasing demand for collaboration.

The situation is compounded by the fact that around 80% of data held by major companies is unstructured. My observations suggest that, in many major companies, fundamental controls for unstructured data protection are simply not being implemented or maintained, and without them they don’t know who is doing what, when and where with all that valuable data.

The Protiviti study found that, whilst 69 per cent of companies in the study believe they have a clear data classification policy for categorising data as sensitive, only 50 per cent actually have specific plans for classification. As the report concludes, this suggests there is a possible gap when it comes to data management.

Actually, I would go further than this. I would say that the results of this survey confirm our own observations that data management is fast becoming a number one concern in major enterprises. The bottom line here is that a growing number of organisations have hit a wall in regards to traditional data leak prevention technologies. Without fundamental controls that can supply critical context about data usage and access controls, it’s very difficult to move a data classification project much past identifying a lot of files that contain specific patterns.

Small wonder, then, that 27 per cent of the respondents in this survey had no – or were unaware of the existence of – a crisis plan for a hacking or data leakage incident.

The good news is that effective data governance and automation not only classifies sensitive data, it also quantifies risk by identifying exposed sensitive data, gets the right people involved by identifying data owners and provides automated recommendations on steps to reduce risk.

As many IT security professionals are discovering, there is no silver bullet when it comes to data classification and security. Effective data governance starts with – as this report says – improving the differentiation between `sensitive’ data and other information.

As the report suggests, companies can significantly reduce their legal, regulatory and reputational risks by implementing appropriate data security policies and practices. Even with the explosive growth in corporate data, which we have tracked at around 650 per cent every 5 years, it is now perfectly possible to control your organisation’s data without lying awake at night worrying about it.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

David Gibson has been in the IT industry for more than 15 years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Director of Technical Services at Varonis Systems where he oversees product marketing and positioning. As a former a technical consultant, David has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. He is a Certified Information Systems Security Professional (CISSP).