Experts estimate that unstructured data now makes up 80% to 90% of the average organization’s data. That means the vast majority of data in an organization isn’t stored in nice, neat databases or secure applications. It’s sitting in text documents, spreadsheets, email messages, slide shows, video files and other formats. It’s stored on local devices, in the cloud and on filesharing services. As its name implies, unstructured data is just that — unstructured.

That might not sound like a problem, but it creates significant cybersecurity challenges. For example, if I asked where a company stores its key financial data, they might tell me it’s in their enterprise resource planning (ERP) or financial system. And while that’s probably true, it isn’t the whole answer. The organization likely uses spreadsheets for financial planning and analysis, and sensitive financial data certainly resides in PowerPoint presentations for senior leaders and the board of directors. Where are these stored? Who has access to them? Have they been shared with other teams? Are they stored in the cloud?

If an organization can’t answer those questions, it’s a good time to reevaluate the approach to data access security. Simply put, it's no longer enough to manage structured data. Enterprise security teams need to control access to all data — no matter where it lives.

Understanding where enterprise data lives

It’s hard to protect enterprise data if the security team doesn't know where it is — which means organizations need to improve their visibility. Security teams can start by conducting a data inventory audit to better understand where the enterprises most sensitive data actually lives. There’s nothing revolutionary about this idea — in fact, it’s been step one for data protection for more than 30 years. Still, it can be surprising how many companies acknowledge that they’re still at this step. This is a growing problem today because as networks become more complex and organizations collect an ever-increasing volume of data, starting a data inventory from scratch will only become harder with time. Don’t fall into that trap — security needs to know where the metaphorical “crown jewels” are.

This is particularly important as the amount of unstructured data continues to expand at an astonishing rate. A concerning number of organizations believe protecting data at the application level is enough — and while restricting who can access structured data within programs like SAP or Salesforce is certainly a good idea, it doesn’t address the full problem. If, for example, a list of Social Security numbers is sitting in a file share folder somewhere, that’s important to know. If a list of customer financial records is sitting on an email server, that’s important to know, too. Today’s organizations have access to technology that can automatically scan unstructured data to look for patterns like Social Security numbers or credit card information. Once security knows where that data is, they can govern its access accordingly.

Governing access to structured and unstructured data

Identity is the structure upon which that governance is built. Whether the identity in question is a human or machine identity, they should have a clearly defined role that determines what information and systems they are permitted to access. Modern identity tools have gotten very good at automating the process of provisioning those entitlements and permissions, and that system should be integrated with data access security systems to ensure that those entitlements are being applied not just to applications, but to unstructured data as well. It’s also important to know not just who has access to data, but how that access is granted. Is there a formal “front door” where users can request approval? That sort of process is essential, and security should make sure the organization has effective data access controls implemented.

It’s critical to make sure only the right people have access and to validate that access regularly. On top of that, it’s a good idea to tie access validation into a lifecycle management system that can automatically reassess entitlements and permissions when users’ roles and responsibilities change. An employee who moves from a human resources job to a communications role should not retain access to the payroll system — for example — and an employee who leaves the company should have their access privileges revoked immediately. By regularly validating permissions and entitlements, security can ensure that each identity has access only to the information it needs — greatly reducing the potential damage if a compromised identity falls into the wrong hands.

Identify, assess, govern

Today’s organizations should address data access security through an “identify, assess, govern” approach. That means identifying where their data lives, assessing who has access to it, and establishing a process to govern that access over time. That might sound like an oversimplification, but it’s a helpful way to frame the approach to what can be an intimidating process. Unstructured data is growing at an exponential rate, and it’s something every organization will have to grapple with eventually. Don’t wait until after a breach — prioritize data access security and ensure unstructured data isn’t exposed and waiting for an attacker to exploit it.