Cyber Hygiene
Security Risks From Employees Working From Home
Audits Don't Solve Security Problems
Is 'Discover, Classify, Protect' Wrong In Cybersecurity Today?
Breadth Vs. Depth: Cybersecurity Industry Has Been Focusing On The Wrong Thing
Third Party Vendors
The Rise Of DASB, Sunset Your DLP
How to Prevent Source Code Modification & Leaks
End Source Code Theft
Why Isn't DLP Preventing Data Breaches and Data Leakage?
SecureCircle Data Access Security Broker (DASB) Selected By Quanta Storage To Eliminate Insider Threats
Organizations Should Bulk Up Cybersecurity In Case Of Iranian Cyber Attack
The Evolution of Data Protection
Ransomware stealing data before encrypting
Insider Threats Infographic
Who collected 4 billion records on 1.2 billion users?
Cisco Systems - Target of Malicious Insiders
New Yorks SHIELD Act
Insider Threat at Lion Air (Update)
How to Prevent the Lion Air Databreach
CIO IT Taiwan | SecureCircle 控管檔案讀取 權不怕合作生變造成洩密
How to Prevent the Mastercard Data Breach
Capital One Hacker Breached 30 Companies Through a Single Cloud Provider
Government Organizations Are Not Ready for Cyberattacks
How to Prevent the Boeing Data Leak
End Insider Threats Without Impacting Users Or Business Workflow
Singapore Overhauling Data Protection Practices
SecureCircle available on Taiwan Government CloudMarketplace
SecureCircle placed on UK Government Framework Catalogue
The New Federal Data Strategy
SecureCircle announces United Kingdom and EMEA Distributor, Care21
Quest Diagnostics and LabCorp in Trouble
Insider Threat in the Air Force
Disruptor Daily | What trends are shaping cybersecurity in 2019?
Disruptor Daily | What is the future of cybersecurity? Experts share their insights
How to Combat the Business Email Compromise Scam
How to Prevent Government Data Breaches
Availability Bias in Cybersecurity
How to Minimize Your Exposure to Employee Mistakes
A Look Inside Toyotas Second Data Breach
Four Keys to Data-Centric Data Protection
Asymmetric Information Causes Data Breaches
SecureCircle Introduces Send Secure for Agentless Protected Data Sharing
The Financial Consequences of a Data Breach
Insider Threats Can Happen to Anyone
Federal Data Privacy Laws Are Coming
Forget Collection 1: Here comes Collections 2-5
Forbes | 10 Industries On The Cusp Of Technological Disruption
Collection 1: Not a Big Deal?
It All Adds Up: Better Cybersecurity is a Necessity in 2019
Why New Year Resolutions Fail
9 Costly Security Mistakes
Security InfoWatch | The Last Mile Security at the Edge
2019 Security Predictions(Infographic)
Security Today | Rethinking Access Control
We love what we do - 2018 Review (Infographic)
Holiday Hacks Are Not Going Away
Solving Multi-Cloud Security
A better solution than web bugs for internal visibility
Why File Encryption is not enough - A Customer Conversation
Security, Visibility, and Control
SecureCircle Introduces Enhanced Cybersecurity Offering for Cloud-First Enterprises
Healthcare Needs a Change
What is old is new: Cold Boot Attacks
Inside Information - Data that should NEVER leave the organization
CTimes | SecureCircle and Netbridge Distribution Partnership (Chinese)
SecureCircle Announces Asia Pacific Distributor, NetBridge Technologies
Insider Threats
CSO | The hidden security problem we all need to know about
Opt-Out is more than blocking SPAM
What is Opt-Out Data Centric Protection? And why is it so important
Digital Hygiene in a GDPR World
Security Info Watch | Enterprises Beware: Cybersecurity Challenges in the Cloud
GDPR Readiness (Infographic)
The Lost Laptop
Strategic Finance | Security in a World of Zero Trust
Reading Between the Lines - The Real Impact of Insider Threat (Infographic)
Protecting Internal Data
Press & News Embargos
CSO | GDPR: Where are we now?
SecureCircle @ CIAB FEBRABAN, Sao Paulo Brazil - The Recap
California Consumer Privacy (The next generation of GDPR)
I am safe. My data is encrypted. Right?
University of Texas MD Anderson Cancer Center ordered to pay $4.3 million in HIPAA violations
Is my Air Gapped Computer Safe?
The Broken 80/20 Rule
SecureCircle and Fiandeira Tecnologia Showcase Unstructured Data Solution at CIAB FEBRABAN
SecureCircle will be exhibiting at CIAB Sao Paulo Brazil June 2018
Throw Tech Away - The Rise of a New Generation of Data Security
GDPR Compliance Tips: The Top Experts Speak
Are you ready for a password-less world?
CSO | The Impact of Human Behavior on Security
Account compromised? What about your file content?
Age old discussion: Convenience versus Security
SDxCentral | Four Security Myths You Need to Shake
Security Today | Digital Security in a Zero Trust World
MegaMinds AIthority Interview with Jeff Capone
2018 Govies Awards
Data Protection needs to be agnostic like Switzerland

Why Data Classification Should Not Depend On Users

Written by 
SecureCircle
 | 
April 12, 2021

If your company is manually classifying any data, you've already lost the data security battle. Data security is reliant on classification, but data classification is unreliable today because it relies on users.

Users tag or label files with common values like "public," "internal," "confidential"and "highly confidential," and solutions like data loss prevention, rights management and information protection all rely on some form of tag. This type of classification is very fragile because data is always in motion. What is important today might not be important tomorrow. What is not sensitive today might become sensitive in the future.

To get a sense of this problem, let's walk through a simple data classification workflow with manual user-based classification. An employee creates a generic project template and classifies it as public. There is no confidential data within the template. Another employee starts to use the template for a client and populates it with customer-specific information. The employee should change the classification to"internal."

Maybe the classification change occurs. Maybe it doesn't. The risk to the company is low at this point, but not zero. As time passes, employees could add more and more data to the file, including login credentials and account numbers. Has the file been reclassified as Confidential? If there are multiple versions of the file, have all instances of the file been reclassified correctly? There are too many opportunities for classification to fail. The risk to the company is now high.

The weakest link in the classification process is employees. Even diligent employees make mistakes. Many companies implement different security processes for files with "confidential"or "highly confidential" tags, such as not allowing them to be sent via email or stored in the cloud. These processes create additional workflow friction for employees. Employees do not have the incentive to classify data correctly.

Removing employees and the human element from security is the answer. Instead of relying on employees to follow procedures and evaluate data correctly, companies should consider security solutions based on automated classification. A popular marketing term for these types of solutions is data-centric. Like most marketing terms, companies bend the definitions as needed to fit their positioning and solution.

Regardless of what you call it, companies should look for data security solutions that do not require end users to be part of the security process. Authorized users should continue working without knowing security has validated their actions, while the system blocks unauthorized users from accessing secured data.

Security solutions need to focus on the data. Instead of relying on users to update classification based solely on the perception of what type of data is in a file, you should base security decisions on immutable values such as data content itself.

The employee still copies and pastes login credentials and account numbers from a previously secured and confidential file from our previous example, but the security recognizes the original data from a confidential file in this case and automatically changes the second file classification to confidential — all without any input from the user.

Even if the employee copies the file or creates a new version via "save as," the resulting file will be classified automatically. Now security is working automatically without any input for users.

In short, to win the data security battle, companies must first classify data correctly. Here are some tips to ensure your data security is successful:

• Remove end users from the security process. Users should not be deciding on data classification.

• Security needs to be transparent to authorized users. If not, they will find alternative workarounds to stay productive.

• Base classification on immutable values such as the content of files. As the content changes, the classification or label needs to change automatically.

• Do not rely on filename or metadata for classification.

• Look for data security that identifies content such as regulated data types and sources. Types can be personally identifiable information (PII), Payment Card Industry (PCI) and personal health information (PHI). Sources can be all data that originates from a SaaS service like Salesforce or Workday or from a centralized file server.

• Ensure classification occurs in realtime and not a nightly rescanning of the computer.

By adhering to these tips, companies can ensure that the data classification is credible and reliable. Classification decisions are critical to the data security process, and data classification historically has let companies down.

Why Data Classification Should Not Depend On Users

Original Forbes Article

Prevent Data Breaches

Let’s discuss your unique cybersecurity challenges and needs.

Contact Us

If you want to notified when we post the newest content about mitigating insider threats, data breaches, protecting source code, and DASB, please subscribe to our SecureCircle newsletter.

Share: