One of the most significant concerns in today's corporate environments is the risk of confidential information being leaked or shared without authorization. This exfiltration of confidential information is known to occur not only through unauthorized access by an external agent, but also through the actions of a malicious internal collaborator.
Some companies face this problem more acutely than others, particularly those involved in creating, developing, or enhancing products or services, where proprietary knowledge holds critical business value. However, it is surprising that even in the present day, some medium and large conglomerates only begin to appreciate the importance of information security after experiencing the detrimental consequences of improperly sharing confidential data.
The news outlet Isto É Dinheiro published an article titled "Information Leakage: my former employee took information from my company. What now?" (free translation) on September 13, 2019, authored by attorney-at-law Gisele Truzzi. The text explains the main risks that companies are subject to when losing employees to competitors, as they can intentionally share data, in an improper and unauthorized manner, with the new employer, sometimes in exchange for a generous payment. There are cases in which the employee may also take advantage of the data in favor of their own business.
The fact remains that, even before addressing concerns about information security, proper classification of the information itself is essential. Data classification certainly brings the following advantages:
ADVANTAGES OF CLASSIFYING DATA
1. Improved confidential data protection.
2. Modulation of information security systems, depending on the data which will be protected.
3. Customization and optimization of resources to be allocated.
4. Facilitation of internal alignment regarding the critical level of data.
5. Facilitation of data mapping within the organization.
When discussing data classification, the immediate associations are labels like "public," "confidential," "restricted," "secret," "top secret," and so forth. While there are highly effective information security tools available on the market that can classify data using various labels, practical experience has shown that the age-old saying holds true: "Perfect is the enemy of good." In other words, the simpler the labels are, the easier they will be to apply, store, map, and require fewer resources for management.
One of the most used set of software in the world, Microsoft's Office 365, employs document classification generated by applications such as Word, Excel, PowerPoint and even for e-mails sent via Outlook.
However, it is important not to confuse the user's subjective classification expressed through labels with the classification of the labels themselves. The success or failure of proper data classification hinges on the subjectivity involved in classifying data.
Although data classification can be approached using various criteria, three main types are commonly utilized. Therefore, it is crucial for company employees to receive appropriate training to understand how the labels should be applied based on the relevant classification criteria adopted by the organization.
DATA CLASSIFICATION TYPES
1. Content-based – according to the critical level of the information contained in the data, the subjective classification is attributed according to the value judgment of the collaborator who labels it.
2. Context-based – according to the critical level of the information attributed by the company to a certain area, to certain projects, etc.
3. User-based – according to the critical level of a given user, as a result of them dealing with information with a higher level of confidentiality or not.
At any rate, data is dynamic and produced virtually every second within an organization. Therefore, any data classification initiative must consider both the existing data and the classification of data that will be generated moving forward.
