Enterprise cybersecurity technology

research that connects the dots | Learn more


Are We Doing Enough to Protect Our Unstructured Data?

Organizations are coming under pressure to protect their data, but does all data need the same security? To secure it, you first need to know what and where it is.

Let's start by examining those two broad-brush data categories: structured and unstructured.

Structured data refers to the data resident within relational databases, often presented via customer relationship management (CRM) systems and corporate applications. Tables and rows of related information in limited formats, structured and only accessible to users with suitable authorization.

Unstructured data is much less easy to ring-fence, being comprised of all the different, unrelated files present on end-user devices. The data is stored in a wide array of locations locally, across the network and in cloud-based services. When considering all these formats and types on local and network-based devices, it is easy to see how vital it is to include all this data into the overall data security equation. Omdia estimates that as much as 80% of an organization's data is resident in this unstructured category.

Now let's consider how all the data needs to be protected.

Due to the general level of sensitivity of structured data (personally identifiable information, payroll, financials, legal, etc.) security strategies will often focus on this tier. Organizations typically separate and secure the various types of data here. However, even these measures are potentially far from sufficient to protect against a determined hacker. Can any organization really say with confidence that it is adequately protected when the next attack could be from an entirely unknown quarter?

Questions of security robustness aside, for structured data, organizations do tend to treat data differently, considering the actual content (and risk to the business if it were lost) and thus appropriate controls are reasonably applied.

Given the sheer volumes, can it be said that unstructured data receives proportional (or even anything like) the same consideration structured data receives? The answer is most likely "no."

First, let's ask a more fundamental question. Can an organization, hand on heart, say it even knows where all its unstructured data is? Most organizations may struggle here. File authors may have difficulty remembering a specific file or what they did with it, or even may have left the business altogether.

This then presents this challenge: "If the organization doesn't know where a file is or what it contains, how can it be protected?"

Discovery Solutions

Data discovery solutions can make retrospective retrieval more palatable, but it's better to be able to classify documents at time of creation and then store them clearly and appropriately according to their value (or risk) to the business.

Omdia argues that the authors of these documents are best placed to apply a suitable mark, but artificial intelligence (AI) tools can also be employed. Today, organizational culture tends to determine if the preference is for a user or AI-centric approach. Either way, a visual and a similar embedded mark classifying the document, working in tandem with a data loss prevention (DLP) tool, will not only indicate the sensitivity of the document and with it how it should be handled, the labels will also dictate how the document can be distributed. This is the foundation to protecting unstructured data.

A consideration here. Adopting a one-size-does-not-fit-all approach does get granular quite quickly when considering all the different types and levels of data sensitivity circulating within a business. This is a necessary part of the planning process, however, and clarity and time taken to construct a hierarchical data framework at this stage will bear dividends later. Thorough and well-defined data type definition and a prioritization strategy mapped across all the various data types will not only deliver enhanced security, but also ensure that if, or when, an attack occurs, the regulators can be subsequently assured that every possible measure was in place to preserve the security of an organization's data, and, moreover, that all data was being handled in the right way. It is also worth considering at this point that highly restricted, legally sensitive data one day can become public information the next.

In terms of working with end users, views about this group and security of any type are highly polarized. Omdia firmly believes in thorough cybersecurity training for the workforce. It is vital to include users in an organization's security posture, employing them as a resilient part of the data security defensive fortification rather than sideline them as a part of the problem. Cybersecurity training is vital, but it should be ongoing and frequent to create a "security culture" within the organization.

No organization can claim to be 100% secure against the ever-evolving threat landscape. By working to understand data and accordingly implementing appropriate security controls across the varying types and sensitivities, together with proactive involvement of the end users, both the impact of unauthorized or malicious data loss can be mitigated and expensive costs associated with a blanket data security approach can be avoided.