It’s time to give unstructured data some structured protection
By Byron Acohido, ThirdCertainty
Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure.
Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system.
Some 80 percent of business data is said to be unstructured and that percentage quite obviously has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software, and dispersing our pearls of wisdom in digital communications.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages, and pitching into social media sites.
Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data.
Sensitive data at risk
But what’s more concerning is the gaping security exposure.
It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady.
Yet the full scope of risk created by unstructured data is much more profound.
“The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies. “It is the least understood form of data in terms of access, activity, ownership and content.”
I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says.
STEALTHbits helps companies that use Windows Active Directory identify and keep more detailed track of shared files the hold unstructured data. That may sound basic. Yet the fact that STEALTHbits is part of a thriving cottage industry of technology vendors helping organizations get a grip on unstructured data is truly a sign of the times.
A decade and a half has elapsed since the Y2K scare. During that period, business networks have advanced and morphed and now tie extensively into the Internet cloud and mobile devices.
Close the security gap
Along the way, no one had the foresight to champion a standard architecture to keep track of—much less manage and secure—unstructured data, which continues to grow by leaps and bounds.
Criminals certainly recognize the opportunity for mischief that has resulted. It’s difficult to guard the cream when the cream can be accessed from endless digital paths.
Just ask Morgan Stanley. Earlier this year, a low-ranking Morgan Stanley financial adviser pilfered, then posted for sale, account records, including passwords, for 6 million clients. The employee was fired and is being investigated by the FBI. But Morgan Stanley has to deal with the hit to its reputation.
“The urgency is that your information is under attack today,” says Ronald Arden, vice president at Fasoo USA, a data management technology vendor. “Somebody is trying to steal your most important information, and it doesn’t matter if you’re a small company that makes widgets for the oil and gas industry or you’re Bank of America.”
Fasoo’s technology encrypts any newly generated data that could be sensitive and fosters a process for classifying which types of unstructured data should routinely be locked down, Arden told me.
Technology solutions, of course, are only as effective as the people and processes in place behind them. It is incumbent upon executives, managers and employees to help make security part and parcel of the core business mission. Those that don’t do this will continue to be easy targets.
Simple first steps include include proactively identifying where sensitive data exists. This should lead to clarity about data ownership and better choices about granting access to sensitive data, says STEALTHbits’ Laub.
This can pave the way to more formal “Data Access Governance” programs, in which data access activities are monitored and user behaviors are baselined. “This will go a long way towards enabling security personnel to focus on the events and activities that matter most,” says Laub.
Smaller organizations may have to move much more quickly and efficiently. Taking stock of the most sensitive information in a small or mid sized organization is doable, says Fasoo’s Arden.
“If you are a manufacturing company, the intellectual property around your designs and processes are the most critical pieces of information in your business, if you are a financial company it’s your customer records,” Arden says. “Think about securing that information with layers of encryption and security policies to guarantee that that information cannot leave your company.”
Some unstructured business data is benign and may not need to be locked down. “If I write you a memo that says, ‘We’re having a party tonight,’ that’s not a critical piece of information,” says Arden. “But a financial report or intellectual property or something related to healthcare or privacy, that’s probably something that you need to start thinking about locking down.”
More on emerging best practices