Data… it’s the lifeblood of the digital economy; representing significant value and significant cost to all organisations, regardless of size or sector.
People became used to talking about it in terms of gigabytes, then terabytes and now petabytes and exabytes – the amount of data generated is increasing exponentially and we must adapt our governance strategies in order to accommodate this.
Organisations which fail to adapt risk losing data and facing the consequences, which can vary from the temporary disruption of business operations, to more lasting brand damage and serious financial penalties.
>See also: The era of increased data protection rules
People only have to look at the high profile cases from TalkTalk, Sports Direct and Tesco Bank to see that data breaches can happen to anyone – even the global brands which we would expect to possess bigger security budgets.
This is because, just as data is the lifeblood to our digital economy, it is also the currency that makes the criminal world go around. As the amount of data increases, so too do the number of cyber criminals ready to make a profit from the digital misfortune of others.
Stealing data has become a lucrative business; it requires a relatively low skillset and can be targeted against any organisation, from anywhere in the world with extremely high returns and relatively low consequences, when compared to traditional crime.
If that isn’t reason enough to make you re-evaluate your data governance strategy then maybe this is…
Regulation, such as the General Data Protection Regulation (GDPR)- which is due to be enshrined in UK law, mandates governance for certain types of data, such as personal information.
Non-compliance is a serious business issue which, as of May next year, could end up costing you 4% of your global turnover or €20 million- whichever amount is more of a penalty for your organisation.
So, by not governing your data properly, you’re not only playing into the hands of those looking to use it against you; you’re breaking the law and, as of next year, you’re also risking significant reputational damage and potential financial ruin.
Okay, so it has been established that a data governance strategy is not optional, but how can we go about building one?
To govern data you need to begin with the three ‘W’s; the ‘where?’, the ‘what?’ and the ‘who?’
In your governance strategy, you need to consider:
Data discovery (the ‘where?’)
Organisations need to understand where their data is. This is not just related to structured data sitting in databases and CRM systems.
Within your plan, you will also need to think about the unstructured data within your organisation; this could be a client list in Excel sitting on a laptop, it could be a credit card number being processed via an EPOS system or it could be HR data sitting on a backup tape. All these examples, which you wouldn’t necessarily think about at first, are potential points of breach and so require discovery so they can be protected.
Data classification (the ‘what?’)
Next up is classification. Classifying the discovered data is essential for enabling policy-based control. Each organisation is different and so it stands to reason that each organisation will generate different types of data which all need to be defined and categorised, or identified, so they that can be controlled.
Data control (the ‘who?’)
Technology is required to control who can actually access the data that you’ve discovered and classified. By having an adequate system in place, you can also control the way in which it is used and for how long it is stored.
It is important that a consistent control policy is applied across the whole environment and that any policy violations are visible, and provide sufficient context to determine the nature and extent of the breach.
In other words, when it comes to data you need to know where it is, what it is and who has access- you need to build yourself a data map. Data discovery and classification is the starting point for any data governance initiative because, quite simply, you can’t protect what you can’t see and what you don’t understand. Then you must implement some sort of control.
Once you have built this data map, there are a couple of other things to consider:
When thinking about regulation and legislation, especially the ever-approaching GDPR, it can be subjective until a legal precedent has been set. The documentation itself is often wordy and open to interpretation but it is important to understand the likely legal ramifications of non-compliance.
Really, compliance and data governance are co-dependent. Data governance is a prerequisite for compliance and compliance is the main driver for data governance. Focusing on a robust and far-reaching governance strategy rather than a piecemeal approach to compliance requirements will reduce overall cost and effort required for compliance.
It’s important to consider which systems, sites and networks should be subject to data governance. If sensitive data doesn’t exist in certain domains, reducing the scope of your strategy to exclude those domains can reduce the complexity and cost of your overall governance plan- saving you both time and money.
The truth is that each organisation, and each organisation’s data, is different and therefore no two data governance plans will look the same. However, not having some sort of plan in place is no longer optional. Think about it: if data is the lifeblood of your organisation, can you really afford to leave it ungoverned?
Sourced from Alastair Broom, security practice director, Logicalis UK