Data protection is a complicated endeavor that can make businesses shudder. This is not surprising, given the constant and exponential increase in data, the difficulty in tracking all of it, along with the various regulatory requirements and standards that organizations need to comply with.   

However, there’s no backing off from the issue and it’s best to tackle it head-on. If you’re just getting started, implementing comprehensive data protection will likely require you first to take stock of your data, and classify it according to its importance and status.  

These initial steps may seem very difficult and they can be, depending on the amount of data you have. Yet, they will significantly help you determine the best ways to protect the various types of data that you store. That said, here’s what you need to know about how to approach data discovery, data classification, and data protection! 

First things first: data discovery 

Data discovery is the process of locating and indexing the totality of an organization’s data in all of its forms: structured, semi-structured, and unstructured. It is the first step in the process of data protection because without adequate accounting for the data, it’s impossible to protect it.  

This process typically goes through several different stages that can roughly be summarized as: 

  • Preparing the data: discovery begins by aggregating the organization’s raw data from all possible sources, filtering out the noise, and merging it into usable sets 
  • Visualizing the data: this step helps in the process of making sense of the different data streams and the relationships between them 
  • Analyzing the data: in this final step, analytics and reporting tools can be applied to summarize the findings during the discovery process and come to meaningful conclusions and decisions about how to handle the data 

Ideally, the discovery process results in a system, such as a systematic data lifecycle approach, that continuously surfaces data and helps, in the long run, to organize and protect it in efficient ways. 

Classifying data to determine what measures to take 

Technically, discovery and classification frequently occur together, rather than as separate steps. Yet, for the purpose of greater clarity, they are presented as separate here. 

Once the process of discovery is complete, you can proceed with classifying the data. This will help you determine what types of data you are working with, and what level of security they require. It will also help you eliminate duplicate versions which can constitute a source of leaks and take up unnecessary storage.  

Data can be classified in a number of ways with the three most prominent being: 

  • Content-based: classifying data according to the type and importance of the content it holds 
  • Context-based: this classification relies on metadata such as application, location, creator tags, creation and modification dates, and other inputs as ways of determining its status 
  • User-based: data can also be classified manually by a user who determines how important and sensitive it is, based on what they know about the data 

After you have classified data in one of the above ways, the next step is to determine what the effects would be if it were compromised. Accordingly, you can further classify data as public, private, and restricted to denote its importance and the risks associated with it. 

Certain types of personal information may be frequently publicly available - such as one’s full name, and are unlikely to carry a great risk if revealed. Other types, such as one’s health records, financial information, or authentication information can cause harm, if revealed, and must therefore be secured with additional measures. 

These classifications do not exhaust the process. Once you have ordered your data in the above ways, you can also think about data flows and data use to start narrowing down on the specific protection methods that you should implement.  

Moreover, protection is also determined by vulnerabilities and risks that are inherent in how data is handled, rather than simply by the type of data. Data that is stored on-premise will require one type of protection when compared to data that is stored in the cloud.  

Finally, data protection is also determined by regulatory requirements that you need to comply with. These will also determine the specific measures you will adopt for one or another set of data. 

Protect your data intelligently 

According to the 2022 Verizon Data Breach Investigations Report payment card data continues to be the most breached type of data, followed by PII, and authentication credentials. At the same time, most breaches are still due to “the human element”, i.e. successful phishing attacks, stolen authentication data, or errors (actually a major factor).  

So while data protection is certainly much more complex, there are few security principles that are meaningful to implement and that can significantly reduce the possibility of breaches. These include: 

  • Implementing a Zero Trust model that requires ongoing validation on the part of users in order to avoid leaving too many doors open 
  • Introducing an Identity Access Management (IAM) system to assess attempts at accessing your organization’s network in an ongoing way, regardless of the party that wants to access it 
  • Developing a comprehensive plan for data disposal that regularly either moves disposable data offline or completely disposes of it 
  • Introducing anonymization or pseudonymization, along with good encryption and tokenization, to obfuscate data and make it harder to decrypt and exploit, in the case of compromise 

These are only some of the main data security approaches that make sense for you to consider when planning your data protection strategy. Moreover, if your company does not have the manpower to take care of all of your data protection needs, you can also consider making use of a Virtual Data Protection Officer (DPO) service like the one offered by AMATAS.  

A Virtual DPO will allow you to work with a trusted and specialized security partner in protecting your data while not having to hire a whole team for the purpose. They will support you in your data discovery and classification efforts, as well as in picking the best approach toward caretaking your data, based on its status.  

Want to know more? Get in touch and let’s discuss your data protection needs! 

Ralitsa Kosturska in AMATAS