Identifying Critical Data

Introduction 

Working in the US intelligence community and the US Department of Defense, as well as in industry, I find that the one common thing I’ve immediately had to do is locate the critical data. In this blog post, I will help readers answer the question, what is the critical data in my business and how do I find it? 

What is Critical Data, and Why Does it Matter? 

Critical data in industry is data that organizations deem essential for success, or data that must be retained for regulatory purposes.  Typical examples of critical data include customer data, (especially personal information that is covered by data-projections laws), employee data, and data concerning vendors’ business partners. 

Critical data in the United States Department of Defense is the same as industry plus all information that can present an advantage to an enemy including Controlled Unclassified Information (CUI). 

In industry, as well as the United States Department of Defense, first defining the information you must protect is essential in understanding how to protect it and the level of money and effort that should be used to protect that data.  A great example of that is if you have a list of family recipes that wouldn’t necessarily be defined as critical data and in most cases unless you have a super-secret family recipe that you just can’t let out you would need to put the lowest level of protection on that secret.  However, now say this family secret is the recipe for Coke a Cola and billions of dollars in revenue stand to be lost if this recipe is stolen.  One you aren’t going to really put a lot of protection in place but the other you are going to try to make impenetrable like Fort Knox.   

How to Identify your Critical data  

This might sound a little out there and even a little bit of a crazy idea, if you want to identify your critical data and have the best shot at securing it properly at a reasonable cost, then have your cybersecurity department working on a regular basis with your business department. Have them talk regularly and have them talk often about the business mission and goals. When your cyber security team understands the mission and goals and there is a joint evaluation on the data, it makes it possible to accurately assess the right solutions to protect the data at an appropriate cost.  

Data protection is regulated by a wide range of varied factors, including but not limited to things like legislation, agreements with clients, non-disclosure agreements, and more. Essentially, you need to ask yourself the question “what obligation does my business have to protect the information we’re creating and sharing on a regular basis?” Anything that falls under the guidance of entities like those outlined above is therefore by default “critical,” and needs to be protected. 

Being able to answer these questions will give you a better understanding of the volume of critical data you are dealing with and where it is being stored across your business. This is part of mapping your critical data, which is one of the most important things you can do. 

Once you have your cyber security and business departments in the same room and talking, what should they be talking about? Mission-critical functions of the business and criticality of the type of data that needs protecting. Make sure your cyber security team understands your business needs and the use cases for all the data that you collect. Have business then listen to different strategies to protect the data and you will have not only your mission-critical data but you will also have a realistic idea of the cost to protect the data. 

Think about things in terms of the various departments within your business. What information does the customer service department need to function? What information do human resources depend on? What data does management need, versus those in finance, versus those in sales or engineering? Where is that data being created and, more importantly, where is it being stored? 

Lastly, try to think of your industry and business-specific risks and understand what type of data someone with malicious intent might target. If you adopt the mindset that there already exists an inside threat, how would you stop them from getting access to and exfiltrating that identified critical data? Just asking this question will lead you to adopt stricter access controls, audit trails, and more. 

Closing 

Keep in mind that identifying critical data for your business is only the first step in data protection. It is also equally important to establish mitigation strategies and emergency preparedness plans in the event your critical data has been compromised. Perform training exercises in the event the worst happens.  

Security Research Group is here to help with all of it. We would love to hear about your business and how we can help you with data protection and emergency preparedness.