The 11 most common mistakes that derail data classification projects

The 11 most common mistakes that derail data classification projects

__________________________________________________________________________________________________ Janusnet 2

2. Complex classification

Security classification labels are helpful in alerting others to the sensitivity of information and how they should handle it. Your IT system is the same: you need to ‘teach’ it how to recognise each label and what rules apply to each, so it can apply the controls you require. Keep it simple. Choose the technical solution that meets your requirements, rather than opting for all the extra ‘whistles and bells’ that might sound interesting but may not be practical. Remember that every increment of complexity makes the solution less likely to be used by your staff, which will decrease the ROI. Focus on adding features tailored to your business needs, rather than on unnecessary tools for unlikely business scenarios which could waste your organisation’s money and time.

3. No good reason for classification

Sharing information is an essential business requirement. It is important to remember that it is only sensitive information whose sharing should be restricted. Every organisation holds some level of sensitive information - personnel data, a customer database, your price list or intellectual property - it is this information that needs to be secured. Be clear about why you need classifications, how your existing IT infrastructure will handle them, how it will apply the classifications to protect the right material and understand any relevant statutes or regulations with which you need to comply.

In the digital era, more information is being generated than ever before. Assigning security classification labels to your organisation’s information is a highly effective practice to control its increasing flow and distribution. It is also economical and relatively easy to deploy and use. Despite the simplicity of using data classifications, there are eleven common mistakes that organisations can make when introducing a classification project. Explore those common mistakes to help ensure your data classification initiative doesn’t derail in our latest Janusnet Short Tips.

1. Too many/few classifications

Classifications or protective markings should reflect the sensitivity of your information and the likely consequences for your organisation, should it fall into the wrong hands. The markings should also make sense and be easily understood for new hires or temporary staff, so the entire team will use them accurately and consistently.

If you define too many classification categories, users may struggle to decide which to use and they’ll make mistakes. If you define too few, users will make classification decisions more easily, but your system will either be under-protecting or over-protecting your data.

Most organisations, regardless of whether corporate or government, usually have three or four standard data classification levels, including: Not Work (not related to work), Not Sensitive, Confidential and Highly Confidential. This set of classifications is called a ‘schema’.

If you have categories of sensitive information that aren’t equivalent, you can add caveats or qualifiers such as Confidential - Legal or Confidential - Personal Information which will add specificity without adding complexity.

The 11 most common mistakes that derail data classification projects

__________________________________________________________________________________________________ Janusnet 3

5. Allowing exceptions

Applying labels to protect sensitive corporate information affects everyone and everyone needs to be involved - including senior management. Some organisations expect their Executive Assistants to apply data classification yet, exclude the senior executives themselves. This is a high risk situation, as senior leaders often generate the most sensitive organisational information. A data classification system has to be supported and used from the top down. Any exceptions place the whole initiative at risk, practically and in terms of widespread acceptance and use. Make sure you have management buy-in, not just in theory, but also in practice.

6. No policies

You need to be clear about how your staff will recognise and assign the correct security classifica-tions, and how they are to handle information with different classifications.

4. Users don’t understand the benefits

Some technologists get over-excited by all the possibilities of a new solution. Of course it’s exciting! Your new data classification will make a significant difference to your organisation, to the protection of valuable data and to its overall security posture. But don’t expect to simply ‘turn it on’ and that everyone will be ecstatic. Think about it from the user viewpoint: what’s in it for them? How does classification help them do their jobs? Will it make their lives easier? Show them that applying the classification is simple and fast: all they need to do is apply the classification and the IT system will look after the rest. Provide users with examples of real scenarios to help them relate the new system back to their particular situation. Make sure they know the new system will make their jobs easier - and show them the reverse too. Highlight that thinking about each piece of information when handling it, is insignificant compared to the consequences and embarrassment of unwittingly sharing sensitive information.

The 11 most common mistakes that derail data classification projects

__________________________________________________________________________________________________ Janusnet 4

To do this you need clear, published, accessible policies and guidelines around core areas such as: what in your organisation constitutes sensitive and confidential information? And, what is the difference between ‘work’ and ‘non-work’? This is increasingly important in the context of social media. Be specific on why you’re using data classification, especially if it’s to meet a regulatory or legislative need. Government agencies are excellent at this aspect of management, because they usually have a strong culture of information handling. For a good frame of reference, take a leaf out of a government scheme.

7. Using default classifications

Default classifications occur when users allow the system to decide the classification, instead of the user personally assigning a classification. While technically possible, default classifications are not recommended. Problems arise with system-generated classifications because almost all users tend to use the default without question. It is easy and takes no thought. This is the opposite of the desired outcome, which is for everyone to think about each piece of information every time they handle it. Widespread use of default classifications usually indicates the classification framework may not be defined sufficiently clearly.

8. Insufficient support

Effective classification schemas are those that are simple and easily understood, which help ensure consistent, routine use. To meet these criteria, teams should need little training to use the system although they will need an orientation to, and guidelines about, your classification levels. Even with clear policies and guidelines and a simple system, questions will always arise. It is important to ensure answers are readily accessible, preferably automatically. Your team will want to do the right thing, apply the classifications and get back to work, so make it easy

for them. A useful practice is to provide a pop-up helper for each classification, with a two line text-based explanation. This gives users a real-time reminder to help them assign the appropriate label easily, quickly and accurately.

9. Lack of infrastructure integration

Ensuring your people mark their emails and documents with classifications is one action; and making sure your system recognises it is another. Both are important. Far greater security leverage can be gained from marking a document or email with a classification when you use the same security classifications with your email gateways, Data Loss Prevention (DLP) tools and underlying operating systems. When you assign rules and workflows for handling and alerting information as it passes your security radar, your data classification system will deliver many more benefits. These include automated alerts for incorrect classification, prevention of sensitive information being inappropriately shared and insights to classifications used over time. To skip integrating classifications with infrastructure means the effectiveness of the classification scheme relies solely on user awareness. While essential, users are fallible. The effectiveness of classifications multiplies when user awareness is combined with a security system that actively monitors the flow of classified data. The more advanced data classification systems routinely integrate with security and access management tools, making security monitoring easier and faster to achieve.

__________________________________________________________________________________________________ Janusnet 5

The 11 most common mistakes that derail data classification projects

10. Not knowing what to measure

Measuring the metrics that matter to your organisation is essential across all areas of your operations, including data classification. From the outset, be clear on what it is you want, or need to know, and use existing data sources to deliver insights. For example, do you want to know when someone downgrades a classification? Ideally, you will have control over who can, and can’t do this, and you’ll know when it occurs, too. You may also want to know how much of your information is truly sensitive. If too much, or too little information is classified it might suggest incorrect guidelines or it may indicate inconsistent adoption. Have you considered what forensics might be needed in the event of a data breach? A little planning goes a long way and it always pays to work out the ideal metrics in advance. Be crisp in clarifying the insights you need, and use existing data where possible, to measure the success of your implementation.

11. Too much, too soon

The Pareto Principle (more commonly known as ‘the 80/20 rule’) applies to many areas of work and life, and data classification is no exception. It’s tempting, but sometimes overwhelming, to classify all data from Day One, but that is not actually necessary. Instead, prioritise the areas of data classification with the most significant impact for your organisation. Move sequentially through each priority area to progressively improve the overall security posture. For example, if preventing data loss is the first priority, consider the most likely vulnerability point - email - and focus on that first. Data classification does not have to be all or nothing. Keep it simple, start small and expand thoughtfully, and your data classification practice will be successful, accepted and it will deliver the security outcomes your organisation needs.

About Janusnet

Janusnet and its partners have the expertise to simplify how organisations design, manage and enforce data classification projects. An experienced and knowledgeable software provider, Janusnet offers a range of inexpensive, proven data classification solutions, which are effective in any type of industry. We’re committed to delivering reliable, practical and user-centric solutions that are simple to deploy and easy to maintain. Our customers confidently rely on us for exceptional product quality and consistently high levels of responsiveness and support.

Getting started

For more information and to get started with comprehensive security classification solutions to improve protection of your organisation’s information, visit https://www.janusnet.com/ Or contact us for a chat: t: Asia Pacific: +61 2 8004 9300 Europe: +44 20 3318 0785 Americas: +1 571 577 8004 e: info@janusnet.com