In recent years, discovery and classification has become one of the most important steps to a successful data security strategy. This is because, although digital modernization has brought many advantages, one problematic side-effect has been a dramatic proliferation in shadow data, i.e. data that is created, stored or shared without oversight or governance from security teams. 

As global privacy regulations have become more stringent over the last few years, businesses have had to take the problem of shadow data more seriously in order to ensure compliance. This in turn has led to many investing more into better discovery and classification solutions. However, too often businesses fall into the trap of classifying their data and identifying which assets are sensitive, only to forget about any sort of protection for the rest. 

What needs protecting? Everything

There are various methods for handling data classification, but generally, data is classified according to its sensitivity level:

• High sensitivity data: Data such as financial records or intellectual property that, if compromised or destroyed in an unauthorized transaction, would have a catastrophic impact.
• Medium sensitivity data: Data that is intended for internal use only, such as emails or documents, but contains no confidential information so would be less than catastrophic if compromised or destroyed.
• Low sensitivity data: Data intended for public use, such as marketing materials or website content.

Many businesses assume that once they have classified data into these categories, the next logical step is to put protective measures in place to safeguard their high and medium sensitivity data. Meanwhile, low sensitivity data can be ignored, as it’s intended for public use or the company won’t be fined if it gets leaked.

Homes for hackers

This assumption is not only wrong, but dangerous. Think of it like a house. If someone classified all the items in a house into high, medium, or low risk, they wouldn't remove all security measures around the low value items. That would be like locking away a laptop, but leaving the front door open 24/7 because it doesn’t matter if someone steals the rubbish bins or washing up gloves. The fact is, if someone is able to come into a house whenever they like and take a look around, it doesn’t matter if they only take unimportant stuff to begin with – they’ve been given a huge amount of insight into where and how the high value items are stored.

It’s the exact same with data. While low risk data itself may not pose any sort of risk, the fact that hackers can move in undetected and make a little home for themselves is a significant threat. Once inside, criminals can spend as much time as they want to get to know the lay of the land, where all the high risk data resides, what the security controls look like, and who the database administrators (DBAs) are. Once they have all of that information, they can choose their moment to spearphish the right employee and, bang, suddenly they’re exfiltrating reams of valuable data out the back door.

There’s no such thing as unimportant data

Although it may seem counterintuitive, prioritizing the protection of low risk data can actually end up being a better use of resources, at least to begin with. The reason for this is two-fold. The first is that, as with any IT solution, there is the potential for a new data security tool to cause breakdowns and potential outages. Should this happen, it’s far better to have it happen on low risk data than on a major data store that can bring the business to a halt if it’s unexpectedly unavailable.

The second, and more important, reason is that if security is only in place for high risk data, enterprises have to be in the right place at the right time if they’re going to stop a breach. This is because, when hackers are ready to steal the sensitive data, they don’t hang about. They get in, get the data, and get out. In contrast, monitoring low risk data is where security leaders can find all sorts of interesting stuff, because hackers are looking to play around and experiment to try and find out the best way to attack.

Stopping hackers before they strike

Driven by increased regulation around privacy, discovery and classification has become central to maintaining compliance around the world. This, in turn, has helped to address some of the issues around data security. But it would be a mistake to confuse regulatory compliance with high quality data security, as illustrated by the way each treats ‘low risk’ data. Good data security means that no data is ignored, even if it has been classified as low risk. 

Low risk data is where hackers live, watch, learn and wait for the perfect moment to shift gears and steal the crown jewels. For businesses that are serious about data security, the goal shouldn’t be to wait and try and catch them in the act but to identify them before they are ready to make their move. And the best way to do that is to monitor low risk data just as intensely as high risk.