Companies should forget about auditing where data resides and who has access to it.
There’s an old saying when it comes to big undertakings: Don’t boil the ocean. Well, there’s hardly any bigger project in information security than trying to protect corporate data. But the reality is that too many organizations today are, in fact, “boiling the ocean” when it comes to their data-security program. In fact, they have their entire data-security approach backward – especially when it comes to managing data risk within today’s highly collaborative and remote workforce.
That’s a bold statement, I know, so give me an opportunity to explain what I mean. When most organizations take steps to protect their data, they follow (or, more accurately, attempt to follow) the typical practices. They start with trying to identify all of the sensitive data they have in their organizations – all of the data that exists on their internal network file shares, on endpoints, on removable media and in all of their cloud services. Then, they focus on how important the data is, i.e., the classifications of the information. Is the data confidential? Intellectual property? Important? The next step is determining who has access to the organization’s data. Finally, they seek to control or block when data leaves the organization.
This has been the accepted strategy across the security profession, and, frankly, there is a lot wrong with this model. The honest truth is it’s just not working because there is just too much data to successfully identify within the typical enterprise. According to the market research firm IDC, 80 percent of enterprise data will be unstructured by 2025. Let me tell you from experience, unless it is data that is obviously classified as personal health information, or card-payment information, then it is difficult, near impossible, for organizations (except maybe the military) to properly classify and rank their data, much less rely on employees to follow a prescribed classification scheme. They essentially rate everything as classified.
Full article on https://threatpost.com/enterprise-data-security-flip-established-approach/157524/
#data #security #enterprise #audit #yokdata