The growth in ransomware attacks and insider threat risks has pushed information protection to the top of the agenda in boardrooms around the world.

Tristan Morgan, director of global advisory at BT, shares his insights on how to go from not knowing where all your data is held to having total visibility and control over your information.

One after another, attacks and risk events unfold and businesses watch with horror, wondering if they could be next. The uncomfortable truth is that cybercriminals are actively looking for unmanaged data to exploit, and organisations are right to be worried.

So, where do you start when reviewing your information protection measures?

Take a holistic view of your data environment

The first thing I stress to businesses is the importance of the context, of understanding today’s data environment and recognising the change that’s going on. The days of an organisation holding its data in one or two on-premise data stores have gone, accelerated by the huge move to remote working over the last six-months. Now your data is everywhere, scattered between hyperscalers and your own systems. It’s not about ring-fencing your data anymore, it’s about managing your data and making sure you’ve got the right controls and visibility around your information wherever it’s stored.

Start by taking stock. Work out the data-related threats to your business: who’s going to want to get their hands on your data, and what data sets are they most likely to target? And don’t rule out the fact that your biggest threat could come from your employees. Staff feeling disgruntled or disenfranchised might deliberately leak your data, or poor cyber hygiene could be the way in that cybercriminals are looking for. Either way, it’s worth remembering that recent research found that over half of all employees take data with them when they leave a company.

Prioritise your information protection activity

Then you can move into a discovery stage, where you scope out what needs to be done and prioritise your information protection plans according to what’s most important to your business. You won’t be able to achieve everything overnight, so focus the first stage of activity on making sure your house is in order from a regulatory and compliance perspective. Realistically, most businesses have taken a few shortcuts with their data over the last six-months that they’ll need to rectify in the first sweep of activity.

What underlines the importance of discovery is that, when I ask businesses where their data is, they can usually only tell me where about 60% of it is. Although this makes sense when you think about how businesses accumulate data over time, in so many forms, it’s worrying when it comes to information protection.

Knowing where data is stored is even more of a challenge for companies that work with a broad community of businesses or those that have an extended supply chain. Mergers and acquisitions, too, are prime events for adding data into the estate, making it harder to keep track of what’s where. As well as determining where data is, the discovery stage also needs to include understanding what form the data is in. Protecting a database, for example, calls for a different strategy than protecting information held in Excel.

Prepare the way for automation

After discovery, you’ll be able to move on to classifying your data based on type, building a model that will mean you can manage your information effectively. Classification is an essential part of turning your massive sea of data into distinct entities that you can apply policies to and get visibility around.

How you label your data is hugely important because it’s the key to being able to automate its processing. The right labelling will mean you can go beyond managing data at a type level. You’ll be able to get more granular, managing it by factors, such as who has permission to access a data set or how long the set needs to be kept for. Now, you can turn access to information off and on, and track who’s viewing it. You have total visibility and control over your information, that you can map against any perceived threats to your organisation.

Build a culture of protection

I must sound a note of caution though: classification and labelling are not one-time exercises; they need to continue to include any new data that comes into the organisation. You need to live and breathe it, making it part of your culture, so the muscle memory of your business automatically structures your data in the right way. Your information protection depends upon it.