Data Classification as a Cybersecurity Imperative

By Stephane Charbonneau, CTO, TITUS

The need for greater cybersecurity is a given these days, and nowhere is it more important than within the public sector.

The question is how—and where—to increase security in such a way that work is not impeded and constituents can still receive timely service.

Fortunately, one category of security solutions provides strong data protection as it helps to create a culture of security: data classification.

Deploying technology security solutions within a government agency usually involves several components, including secure network gateways, data loss prevention systems and encryption.

But with the rapid explosion of mobile devices that can store gigabytes of data and the easy access to cloud sync-and-share services, it is difficult for technology and IT teams to keep up and ensure that users are not accidentally leaking sensitive information.

It is essential, therefore, that your users understand digital security risks and proper policies for sharing information.

Agencies need a solution that will do three things in order to foster a culture of security:

  1. Educate and remind users about data security,
  2. Empower users to take responsibility for data security and
  3. Enforce security policies to protect users from their own mistakes.

All three requirements can be fulfilled via data classification solutions. Classification applies the email or document classifications as visual markings that clearly identify to the user the sensitivity of the information.

Classification headers and footers in emails, documents, presentations and spreadsheets ensure that users are always aware of the value of the information they are handling.

There can be no, “I didn’t know this was sensitive information” excuses, as the classification is clearly visible on screen or when printed.

Though classification solutions can be configured to apply classification automatically based on a number of content, environment and contextual variables, many agencies want their users to be actively engaged in cybersecurity.

They want their users to stop, think and consider the value of the information they are creating and sharing. This modification to the users’ workflow is negligible from an efficiency perspective but hugely influential from a security culture perspective.

With as little effort as a single click, users become more aware and accountable for the classification of the information being shared. The act of applying classification and seeing it applied by others heightens users’ awareness of data security.

Despite clear policy and good intentions, however, to err is human and mistakes will be made. Some solutions provide a classification policy engine so that users are given the chance to correct mistakes before they happen.

Policy alerts appear before the internal email is sent to unauthorized recipients, before the file is printed to an unsecured location, or before a highly sensitive file is uploaded to an unauthorized cloud storage service.

Policy alerts are sometimes completely customizable to suit the education and workflow requirements of customers.

These alerts can provide details to the user about why the action is a threat, provide automatic remediation or even empower the user to continue with the risky action once the user provides justification.

Government agencies hold the trust of the citizenry in their networks: personal data, sensitive information, even state secrets.

This data must be handled with the utmost care, yet we continue to see instances where an employee accidentally emails an entire database to the wrong person or unwittingly uploads that information to a public site.

To avoid embarrassment and lost of public trust, agencies have the powerful tool of data classification at their disposal. It’s a solution that protects data as in embeds cybersecurity safe practices into an agency’s culture.

About the author:

Stephane Charbonneau is one of the original founders of TITUS, and serves as Chief Technology Officer. His background as an IT Security Architect helps ensure the company’s product suites meet customer requirements. Stephane spent many years as a technology consultant, working with large international organizations in the public and private sector.

For more information visit: http://www.titus.com/index.php