Is it time for security to go back to basics?

Tim Bandos, Vice President of Cyber Security, Digital Guardian discusses how companies should and can go back to basics to ensure critical data is properly secured. 
Let’s face it, there are still too many situations that prove data remains woefully insecure. Long gone are the days when all but the biggest data breaches would make the headlines of non-IT press.
That’s because we’ve become increasingly desensitised to security stories. Today, it takes something huge to turn heads. Whether it’s 300,000 files and directories stolen by a former Tesla employee or the 600 million Facebook passwords ‘hidden’ in plain text, only these most egregious lapses in data security seem to set alarm bells ringing.
But with new data privacy legislation regularly arriving on an international and regional level, we’re entering a new era of accountability – as least as far as governments and regulators are concerned. But this should also mark a point in time where businesses need to get back to basics to radically improve their security success rates.
‘Back to basics’ begins by understanding everything about your data – where it is, how it flows throughout the organisation, who can access it and who can share it. It’s a starting point understood by most, but then ignored by many.
But without that foundation of knowledge, organisations can’t properly classify data and know what files, documents, or intellectual property would be at the greatest risk if compromised. If you don’t know what you’ve got, how can you protect it? But, by implementing a data classification strategy and using tools to break down what sensitive and non-sensitive data exists, organisations can bring some much-needed structure to their data protection strategy.
But how does this work? Generally speaking, data can be classified in a number of key forms: restricted data (if released, it could have a long-lasting, damaging outcome to a company), confidential (it needs to be protected from unauthorised access and contains moderately sensitive information), or public (it’s okay to share publicly and largely non-sensitive in nature).
After data has been classified, companies should ensure the appropriate security controls are in place on a user level, to safeguard it against theft. Policy controls ensure that data can’t be altered, lost, or stolen by malicious, or in some scenarios, well-meaning employees. Trust is really important, but organisations aren’t doing their duty if they overlook the potential for carelessness on the part of employees, because negligent workers have, historically, been among the leading causes of corporate data loss.
But, one of the big challenges for businesses is that all this data rarely exists solely on the corporate network in one convenient space where it’s easy to analyse and manage. Data is free flowing, it lives on laptops, tablets, mobile phones, remote offices, and the cloud. So, not knowing where data resides can have other consequences, like increased third-party risk, employee data theft, or non-compliance.
Also of interest: “Human beings have an exaggerated view of their ability to manage risk” – Craig Rice, CSO at BACS and Faster Payments