That's classified: Government can continue its data protection leadership
We are living in the data age. Organizations are grappling with a seemingly unending barrage of data and are challenged by how best to use it, store it and secure it. Yet data breaches and leaks continue to happen, despite security regulations becoming stricter in an attempt to help control it.
With that in mind, it’s easy to see why data protection remains a top concern for all organizations. This is especially true for government agencies, which handle some of the most sensitive information in the country. Take the Census Bureau, for example -- public concerns about the security of census data is one of the Bureau’s top issues as it prepares for the 2020 census. Lawmakers have warned that if there were a breach of census data, it could permanently damage public trust and affect the capability of this country to gather essential data in the future.
In most government agencies -- and in many other industries -- these warnings have prompted digital-era security measures largely focused on firewalls, passwords and other safeguards to help thwart cyberattacks and other threats attempting to infiltrate networks from the outside. And while these methods are a critical component to any security strategy, most data breaches are unintentional, happening from inside an organization. While a few of these breaches are the result of malicious players, most are inadvertent, stemming from human error.
Often, in the course of doing their jobs, people accidentally share information they shouldn’t have via email, or they post it to an unsecure location. There have been numerous examples in the last couple of years to support this. In more than one case, a data breach happened because an employee uploaded sensitive information to an unsecured site, such as a portable drive or cloud storage site. Often these scenarios have limited consequences, but you know what can happen when sensitive information gets into the wrong hands.
Fortunately, when it comes to the protection of critical information, government has traditionally led the way.
That’s Classified Information
Since the time of paper files displaying a big "CLASSIFIED" stamp on them, government agencies have been at the forefront of deploying strict data protection policies. With the advent of digital transformation and the influx of sensitive data that all government agencies face, there’s an opportunity to apply this same data protection rigor using digital policies that drive both the identification and protection of information that is core to the security of the nation.
In short, implementing a data protection strategy rooted in the identification and classification policies deployed so expertly in the “paper age” could especially help reduce the number of data breaches that stem from inadvertent sharing and other forms of human error.
Technologies built into everyday workflows can help government employees identify the value of content at creation or after it has been stored on premises or in the cloud. Metadata and classification details trigger specific security policies depending on the content.
As people send emails, upload files and save documents, the data classification technologies ask questions and alert users when highly sensitive data is involved, mitigating the risk of someone inadvertently sharing sensitive or personal information such as census data. So if users try to upload a sensitive document to an unsecure location, as in the example above, data classification tools would alert them that it contains a classified document.
The challenge comes in the implementation of these data protection practices. Properly identifying and securing critical information isn’t a “moment-in-time” activity. It requires a shift in thinking and organizational culture.
Making a Cultural Shift
Controlling the flow of information is nothing new for some government agencies. For example, the military has been controlling highly sensitive data for a long time. The culture inside the military is such that security is always top-of-mind. So if an upper level commander says deploying software will help with protecting critical and/or sensitive information, it’s likely that everyone will go along with the plan because the idea of putting controls and security around processes is already part of the culture.
But for other government agencies, changing protocols might require a real cultural shift within the organization to be truly effective. In that case, agencies will need to consider their internal culture and find the solutions that will work for them.
Following a three-stage process for implementing data protection into everyday workflows will help make the shift go more smoothly:
- Educate -- Help employees understand why identifying, labeling and classifying individual assets is important and is at the heart of good data protection. Explain why doing this at content creation can help down the line.
- Implement -- Once people are on board, provide the tools and technologies that can help them do their part in identifying and protecting the organization’s sensitive information. Find tools that integrate easily into employees’ already existing workflows and that don’t require learning multiple programs or burden their day-to-day work. For many work groups, it will be important to convey that the process is collaborative rather than something commanded from on high with no real explanation.
- Control -- Once tools are up and running, set clear security policies and boundaries to help protect sensitive data according to user direction. Check in regularly with users and teams to ensure policies remain relevant. Some solutions allow for data classification on certain types of content to evolve over time, as data protection needs change or scale. Some solutions enable organizations to update policies in general as business needs change.
For agencies dealing with huge amounts of sensitive information, implementing technologies to help identify, classify and protect data could be a game-changer. Not only would it help with managing and sharing of all that information, but it would put the public at ease and offer long-lasting protections.
Mark Cassetta serves as Senior Vice President of Product Management & Strategy at TITUS. In this role, he's for responsible the execution of product strategy. Since joining TITUS in 2012, Mark has held positions in marketing, business development, and corporate strategy, and brings to the role over 10 years of experience across application development and enterprise software. Prior to TITUS, Mark was a Senior Technology Consultant at Accenture, managing projects within large scale technology transformations.