In part one of our blog series on the risks of unstructured data, we talked about some examples of unstructured data and the challenges it presents for security professionals. In part two, we’ll offer some tips on how to secure your data.
Cleaning Up Unstructured Data
SharePoint is a good place to start when cleaning up and organizing your data. I’m not suggesting you go out and implement a SharePoint solution, but if it’s part of your Microsoft Office suite of applications, we recommend that you use it. It’s flexible and can eliminate the hierarchy of shared drives.
You can set up data in SharePoint in a hierarchical system (folders) or you can tag and sort it in several different ways. When you put items in a folder on a network share, all you’re really doing is labeling (tagging) those items so you can easily find them later. The same is true of SharePoint.
This rigid folder hierarchy, however, is where things start to break down. It commits you to a static way of looking at your data. If you’re organizing your data in a file structure that’s more than three or four levels deep, then you probably need to re-evaluate how you’re organizing your data. By using SharePoint and tagging your documents, you can view the data any way you like any time you like. If Joe wants to see sales reports by fiscal year and John wants to see them by region, it’s no problem as long as you have a year and region tag.
If you’re unclear about how to tag your data, study your folder hierarchy. What are your folder names? Do subfolder names like year, regions, or departments repeat, for example? If so, then they’re a great candidate for a tag.
Converting Shared Drive Files into SharePoint Docs
In some cases, spreadsheets can be turned into SharePoint lists. This isn’t a viable solution in every case, but it can be a significant improvement over a traditional spreadsheet depending on the content. A list works great when you need or want to see data in different configurations.
Going back to our example in our previous blog of the HR list with multiple attributes, it was possible to sort or filter that list in any configuration. In some cases, it needed to be filtered by an employee’s travel location, and sometimes sorted by region; either could be easily accomplished. Although your HR Officer may say they don’t want sensitive data on SharePoint, it’s almost always more secure than a shared drive if set up correctly. Permissions can be configured as loosely or tightly as required or for simplicity. This also enables your IT staff to tie permissions to active directory user groups.
In fact, the HR manager’s list of employee names and personal details was permissioned so that only she and the HR Officer could access it. This was a much better solution than her original shared drive document.
The trick, though, is not letting SharePoint become your second cluttered shared drive. Generally, transfer your most current working documents first and then move the rest when the need arises. This will quickly reveal what’s important and what isn’t.
Basic Guidelines for How to Secure Your Data
If you’re looking for where to start, here are some basic guidelines on how to secure your data:
- Have a document policy and make sure your employees are not only aware of it but actually follow it. Employees will follow information classification policies if they exist. Implement things like file naming conventions that can make searching for data easier.
- Assign an owner to any sensitive data and identify who the data custodians are or will be. These are the folks who know the most about the data, use it daily, and can do the best job in keeping it groomed. The owner should also determine who needs access and to what degree. The owner should also decide to what degree the document(s) should be classified.
- Analyze your data and determine critical information assets, who handles it, and how it’s used. Determine what data is critical, important, usable, etc. This will likely be the heavy lift in the beginning but should become easier as you work through it. Once the data is profiled, it will be much easier to apply policies and security mechanisms.
- Classify what the team finds after they’ve done some analysis. This will be unique to the organization as to what’s most important but it’s a key piece in helping to identify and secure what you have. Start by grouping what you deem important and then determine how critical those documents are to the organization. Most private sector organizations have four levels of classification – Confidential, Private, Sensitive, and Public with confidential being the most sensitive level. For example, documents pertaining to trade secrets might be classified and marked as confidential, and documents related to marketing might be labeled as Public.
- Eliminate useless data. Instruct employees on how to clean out the file spaces they use regularly. Start with the most current first and work backwards. You will quickly discover what’s relevant and what isn’t. Remember that “dark data” that constitutes almost half of your unstructured data? If it’s “dark”, it’s probably not needed any longer. Just make sure you’ve done some analysis to determine what’s important and what isn’t.
Data retention policies will vary by organization or industry. Generally, accounting and operational records should be kept for seven years, tax and payroll records between three and six years, and employee records for at least seven years after the individual has left the company. The retention policy of other types of key documents like business plans, security plans, proposals, or customer information will all depend on the organization. After thoroughly reviewing what you have, if you find documents that are still relevant then, depending on their age or usefulness, archive them off. This frees up file server resources and makes your shared drive less hectic in general.
- Have a training program. Help your employees understand the risks. Training should focus on the unstructured data that they generate. How do you manage it? How should it be permissioned? What should receive an organizational classification? Tie training to a relatable scenario. For example, a lost proposal may cost a salesperson their incentive payout or that handy phone tree might actually contain sensitive information.
Is There Any Upside to Unstructured Data?
The good news is, it’s not all gloom and doom. Good things can emerge when disparate data is identified and organized. Some of that data may very well hold the key to growing the business or improving customer relations. According to 2019 research from UK firm Crown Records Management, a majority of businesses (64 percent) said they could improve operational efficiency and productivity by tapping into unstructured data, and 31 percent saw it as a source of improving employee engagement
It’s up to top management to support employees in creating a secure and data-aware culture. There’s lots of good information on that file server – but there’s probably lots of garbage too. Most likely, the benefits of reviewing, classifying, and organizing your data will far outweigh the time it takes to perform the task. Having a clear document management policy and supporting procedures on what to do with unstructured data will go a very long way in reducing security concerns and resource requirements.