Data classification is an approach to identifying, protecting, and managing information which has rapidly become best practice. Implemented as part of a layered security strategy, it enables an enterprise to defend itself against a variety of threats - from aggressive outsiders to untrained or well-meaning insiders - while unlocking the full potential of its data to drive innovation and productivity.

At its simplest level, data classification is “the process of organizing data into categories for its most effective and efficient use”. From a security perspective classification involves the categorization and labelling of data according to its level of sensitivity or value to an organization – for instance as commercial in confidence, internal only or public. The approach switches the focus of data security from building ‘walls’ around networks, databases, applications, or devices – increasingly ineffective, as 95% of breaches are caused by human error (your users are on the inside of any “wall”) – to the data itself.

The first step is to establish a policy as to what labels or classifications should be added to which files or emails. The company can then decide how to communicate this to employees and decide on how to implement the policy. Some organizations decide to adopt a manual only labelling policy. However, there are more advanced data classification techniques that utilize software toolsets which attach labels to email messages, documents, and files. In addition to a visual marking that lets people know how the data should be handled, the label is embedded into the file properties as metadata, allowing the data to be accessed or used only in accordance with the rules that correspond with the data’s

 classification. This means that the protection travels with the data, wherever it is sent or stored. Each of the three techniques – paper-based classification, automated classification and user-driven (or user-applied) classification – has its own benefits and pitfalls.

Paper-Based Classification Policy                                                                                      
A corporate data classification policy will set out how employees are required to treat the different types of data they handle, aligned with the organization’s overall data security policy and strategy. A well-written policy will enable users to make fast and intuitive decisions about the value of a piece of information, and what the appropriate handling rules are, for example who can access the data and should a rights management template be invoked. The challenge, without any supporting technology, is ensuring that everyone is aware of the policy and implements it correctly: according to PWC’s 2015 Information Security Breaches Survey, 72% of the organizations where security policy was poorly understood experienced a staff-related breach in 2015.

Automated Classification Policy                                                                                        
This technique bypasses the users’ involvement, enforcing a classification policy to be consistently applied across all touchpoints, without the need for major communication and education programs. Classifications are applied by solutions that use software algorithms based on keywords or phrases in the content to analyze and classify it. This approach comes into its own where certain types of data are created with no user involvement – for example reports generated by ERP systems or where the data includes specific personal information which is easily identified such as credit card details.