Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 05 May 2022
  • 6 min read

CISO Guide: Data classification is still vital ... use training and senior management buy-in to maintain security parity

Information security is not just a legal requirement, it is necessary to maintain an organisation’s reputation, trust, and profitability. Data classification is and remains a vital...

Information security is not just a legal requirement, it is necessary to maintain an organisation’s reputation, trust, and profitability. Data classification is and remains a vital aspect of data security for every organisation.

Evolving technology results in more ways for data to be created, shared, and stored. And while it may be easier (and cheaper) to collect and store substantial amounts of data, the risk to information is increasing. 

In fact, Lepide data reveals that 65% of companies are collecting more data than they can handle with 54% of organisations unable to identify where their sensitive data is located! 

One single mistake in the way sensitive data is handled can damage a business, its reputation and the confidence customers/clients have in them. 

Cybercriminals will always find new ways to breach defences, but these are not always through technology. Have you considered data classification as a means to prevent information breaches? 

What is data classification? 

Data classification is the cornerstone of information risk management.  

It allows you to organise data into tiered categories based on its sensitivity and the level of protection it needs to mitigate information security risks. 

Data classification needs to be an integral part of every company’s cybersecurity management program, no matter the industry or size of the organisation.  

Every organisation should determine categories that they want to classify their data with. For example, the most common cases of classification often use a sensitivity hierarchy, such as: public, private, protected, and confidential.  

Of course, these classification titles can be different business to business, but the core intention remains; understanding the type of information you hold and how to responsibly manage and distribute said data. 

The importance of data classification is even more prevalent at present, as modern business and commerce is so heavily dependent on generating and accessing an enormous amount of data in relation to products and customers.  

Why classify? 

Well, not all data is created equal. This means that some information will need greater security measures applied to it when compared to less impactful data. Not all data needs to be protected in the same capacity. 

Data classification allows your employees to assess diverse types of data whilst getting instant insight into the protection protocols for that particular type of data.  

Clearly labelling data with the correct classification shows its value, helps everyone instantly understand its level of sensitivity and ensures it is handled securely. Essentially, classification ensures data is handled correctly at every stage of its lifecycle by every employee.  

Classification also allows you to organise data for retention, storage, budgets, and ease of reference, and, most importantly, control who has access. 

Why leave data open to interpretation when you can ensure authorised-only access? 

Data classification is also a major part of data compliance. Whether it is HIPAA, GDPR (General Data Protection Regulation) or other governing regulatory bodies, data is required to be labelled so that security can determine access for it.  

And we would be lying if we did not highlight the amount of time and money you can save through simple classification. You will end up cutting back on duplication and storage costs. 

Assessing data 

To safeguard sensitive data, you must first know and understand what data you have and what risks/vulnerabilities it faces. 

The first step is to identify the data you are looking to classify. After this, you must locate where this data sits, whether it is physical or digital, and how you will access it.  

The next step is classification and here you must ask yourself: 

  • Who can access our organisation’s sensitive data? 
  • How would our organisation be affected if this data were leaked, destroyed, or accessed by unauthorised persons? 

These questions will help you determine the true value of the data in question and help you to assess the threat landscape. This will form the basis of your classification levels and handling procedures – whilst also confirming the specific security measures this data needs applying to it.  

Implementing classifications 

Define and implement a data classification policy that includes objectives, data owners, classification categories, and handling instructions. Clearly define your classification procedures for each information type and ensure it can be easily understood by your employees. 

By creating a process for where data is held and who handles it, you can also implement security controls based on its organisational value and associated risks. 

But it is important not to overload employees with too much information. A straightforward policy, with three or four classifications, is more manageable and more likely to help employees understand company requirements. 

And if they understand a straightforward process, they are more likely to follow it to the letter. 

However, you must also remember that data and information security is always evolving. This is a dynamic industry that needs regular updates to your data classification and data protection campaigns.  

Not only will you need to update your protocols depending on new threats and vulnerabilities, but you may also start taking in new information and tangential data that requires fresh categories and classifications.  

The last thing an employee will want in this situation is data that cannot be classified because your protocols are outdated. This is particularly dangerous if this new data is highly confidential, and your employees are clueless as to what to do with it.  

Employees and classifications 

Employees also need to understand that they are the first line of defence against data breaches – even those who think they do not handle confidential information. 

Everyone plays a key role in ensuring data is classified and handled securely. You must empower employees to be your robust front-line defence against information security risks. 

As a result, educating employees about current threats to your organisation’s data and their role in keeping it safe is essential. Those who understand why they need to classify data are more likely to care and engage with information security. 

Create unity by encouraging everyone to take responsibility for keeping information secure and promote your data classification policy as a tool to help them achieve this. If developed well, it will even make their lives easier. And, if promoted and encouraged well, it will become a go-to tool for all your employees. 

Insider threats 

Insider threats, both malicious and accidental, can be difficult to prevent as they develop from weaknesses in your frontline defence. 

Disgruntled employees may intentionally steal data or human error, due to a lack of training, could result in information being divulged unintentionally or without knowledge. 

Combine access management systems, the principle of least privilege, and data classification to help prevent employees from disseminating sensitive information they should not have access to.

Automated classification 

Data classification has traditionally been a user-driven process, but many organisations are now opting for automated classification. 

Automated classification can help ensure data is protected when it is created, modified, stored, or shared. It is efficient and can remove human error to ensure information is correctly classified. It can also organise information and reduce the risk of data loss. 

Usually, automated classification integrates some form of artificial intelligence (AI) or machine learning (ML) when detecting, labelling, and classifying data. Some automated classification products also help identify threats and notify administrators of suspicious behaviour.  

However, automated tools can lead to less control over data. In cases where data may be difficult to classify, an automatic tool cannot interpret the context of information as comprehensively as a person can. 

As a result, you may wish to consider combining an automated solution with a user-centric strategy. 

For example, an automated tool can classify simple data but flags more vital information for a human review. On top of this, an overall human review should also be implemented to determine whether the automation is labelling correctly.  

Senior management buy-in

But training employees only goes so far – you also need support from management and the board for data classification to be successful. 

When top executives and managers lead by example, it shows that the rules also apply to them and gives employees a clear incentive to follow policies. 

By also ensuring that your middle management teams understand the importance of data classification, you can encourage them to champion it. 


  1. Use classifications to improve information security by focusing on business-critical data. 
  1. Implement straightforward policies, promote best security practices, and educate employees to reinforce your classifications. 
  1. Get support from senior management. 
  1. Monitor, maintain and update your data classification policy to ensure you continue to meet the changing needs of your organisation. 
  1. Adapt your data classification and wider cybersecurity strategy as threats to your data evolve. 

Above all…Keep it clear, simple and secure.

Building cybersecurity awareness, especially in relation to new and emerging threats, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across. 

Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice