American View: It’s 7 am … Do You Know What Your Sensitive Information Is?

Risk Management

How do you effectively protect your sensitive information when you have no idea how much protection any given document or record requires? This is a critical issue that every organisation must address before they can create a meaningful protection regimen … and one that most small and medium businesses aren’t.

This issue came up over dinner a few weeks ago. Weird, I know, but none of the adults in my social circle are interested in sports and no one wants to talk politics after … everything … so we tend to talk about work. Four of us were waiting for our entrees to arrive when I asked my companions “How do y’all classify your records?”

After the expected response of “What the hell kind of question is that?” my pal who works in logistics scheduling shook his head and admitted that his employer doesn’t even have a information classification scheme. “We don’t have any tiers or categories. We just … do work.”

I nodded and asked “Don’t you have any content that can’t be shared with the public? Contracts? Vendor data? Financial account data? Trade secrets?”

He took a sip of beer and shrugged. “If we do, I’ve never been told about it?”

“Doesn’t your company have policies around security?”

“Oh, sure,” he said, “but those are for managers. We’re line workers; we don’t have to read policies. In fact, we’re not even allowed to.”

How dare you take an interest in protecting our business, you crucial but low-status wretch!

I gave him a horrified look then asked the next fellow — a warehousing supervisor — the same initial question. His answers were nearly identical. “We get trained on security every year. Mostly stuff about phishing. But we don’t have any secrets … from what I’ve been told.”

I pointed out that his company does direct sales to individuals and to corporate buyers. Don’t they have tons of customer credit card data? He shook his head. “Sales does; we don’t ever see any of that. All we get is an order info and an address to send stuff to after the payment’s been worked out. We can’t access anything else about a customer.”

I nodded and turned to my last companion. She was ready with her answer before I could ask it.

My third dinner companion is a teacher. I know she’s required to take a bunch of recurring security training. She confirmed that all student data must be protected by all district personnel. No unauthorized sharing, no exposure, etc. was allowed except to the parents or guardians of record. So, they had “protected” information.

I asked if their student-related content had a formal classification scheme, and she said “no.” How about marking? Like, how is she supposed to know if an email she gets through the school system contains student information? “You just know,” she said.

I advised my friends that their employers were all operating in dangerous territory. Every business has some kind of information that will, if lost, stolen, or compromised, harm their organisation. It’s all well and good to trust seasoned, mature employees to know the difference between protected and unprotected content so long as (a) no one ever makes a mistake, (b) no one is ever tired or distracted, and (c) no one outside the circle of seasoned, mature employees can ever see or handle company information.

Good thing no one ever gets sick, overloaded, or terminated in a small or medium business. Nope. Never happens.

“How realistic is that?” I asked. Everyone laughed, including the waitress refilling our drinks.

My dinner companions all understood the scope of the problem because they’re professionals. They know that their respective employers are accepting unnecessary risks by not having a clear, consistent, and enforced information security program. It’s the 2020s … pretty much everyone understands how disruptive a data breach can be.

In all three cases, my friends have no authority in their organizations. They’re all line workers, not managers. Even if they’d raised the issue, they wouldn’t be listened to. Their function is only to perform work as directed, and they’re none of them permitted to rise above their station.

This is pretty darned normal in corporate America. Sure, our mega corps all have thorough, tested security programs. When I first joined Verizon Enterprise’s cloud hosting division, I got to help the SOC2 teams address vendor inquiries. Theirs was bog-standard and well resourced because they’d lose customers to the other S-tier cloud hosting providers if they didn’t.

When you get out of the Fortune 500, though, that VZE style focus and thoroughness often doesn’t exist. In many of the small businesses I used to consult for, no one knew that this was a thing. How could they? They didn’t know what they didn’t know. Without an example to follow, the business owners and managers I worked with just did what they thought was necessary. For most small businesses, that means financial tasks, inventory, supplier management … while “security” consisted of locking their shop’s door at night.

To be fair, if you’re not doing this part consistently then the rest of your security plan probably won’t help you.

I’m not saying this to insult anyone. If you’re reading this and your outfit is operating at that level, don’t be embarrassed. What you’re going through is normal. Ordinary, even. You must secure your foundations before you start in on the “work about work” stuff. No one expects you to implement an enterprise security framework while your staff are still on a first name basis. That’ll come with time.

Still, it’s never too early to begin work on the essential elements of a security program. Start off with information classification. Ask yourself, “what information do we have that could hurt us if it’s lost, stolen, altered, or erased?” Once you’ve listed everything that falls into that category, that becomes your “protected information.”

Teach all your people what that is and show them how to mark it so everyone will recognize it when they encounter it. Then set some basic rules for how to protect it, like “don’t share this outside the company without the boss’s permission,” or “never let this content leave the company network.” Whatever it is, work out some simple, clear guidelines and enforce them.

After that, the other elements of a decent security program will start rolling into place. It won’t be long at all before you’re out performing your contemporaries by being less vulnerable to exposures, hacks, and reputation-destroying mistakes than competitors who haven’t reached this same maturity threshold yet.

One more lesson to take away from this article … I’m a decent security professional, but a very boring dinner conversationalist. That probably won’t ever come up, but … ya know … just in case. Just like a ransomware attack, it’s foolish and unnecessarily risky to believe it could never happen to you.