Do you know what kind of confidential information moves between your company and the outside world? If not, I recommend finding out without delay – your company’s information security can be ensured only when the protected information is identified.
The goal is to find balance: too robust security systems consume resources unnecessarily, while failures in protecting the company's business-critical information makes the company vulnerable to severe consequences.
The business environment is becoming more challenging. Also threats evolve. A huge amount of confidential information moves between the company and its customers, partners and suppliers. The company is also ultimately responsible for ensuring that whole subcontracting chain processes information in an appropriate manner.
Failure to protect confidential information leads to significant business and reputation risks. All data that moves electronically does not, however, need protection. Some of this information is public, some of minor importance. Resources should not be used to protect such information. From the information security point of view, the most important thing, therefore, is to identify business critical data.
The confidentiality of information must be considered from the organization’s perspective but also from the customers' point of view, and also with data protection taken into account. The future EU Data Protection Regulation will likely increase data protection obligations and responsibilities, and also introduce sanctions. In the future, data protection failures can lead to significant financial sanctions, which may be up to 5% of company turnover.
Does everyone in your organization know what information is critical? If identifying confidential information is still halfway in your company, do the following:
1. Map the data.
Go through the data handled in different functions. Find out who deal with confidential information and with whom information is exchanged. You should also consider what information can be assembled from small pieces into large and critical entities. Example picture helps to identify the protected data.
2. Identify the responsibilities and obligations.
Data protection is regulated, among other things, by legislation, agreements, NDAs, data protection provisions, internal guidelines, users' expectations, the customer promises. What kind of obligations does your business have to protect information?
3. Assess the risks.
What happens if the information is spread to outsiders? Assess the significance of the information and the effects of data leakage on your business.
4. Define security levels.
Measure the security level and the necessary protection according to criticality of the information. Use instructions to deploy practices to all personnel.
Identification of confidential information is the starting point for the planning of information security. This requires both appropriate technology and practices, and corporate culture. The company's business specific characteristics must be taken into account when planning the solutions. Usability is also essential. Make sure that the selected solutions are also in use – this is the only way the information security becomes a reality.