Fresh Thoughts #65: How to Spring Clean Your Data

Lots of containers on a shelf.

Last week we looked at spring cleaning your network.

We split devices and access into network segments based on their business need and use case.

This week - it's all about organising your business information.

How to Spring Clean Your Data

Let me set expectations from the start… segregating and securing your business information will not happen overnight. It is a much bigger project than your network spring clean.

So why would you want to take this effort on?
Two reasons.

Firstly, it helps you simplify your business. Suppose you haven't thought about information classification and segregation before. In that case, how you work, store and process information will have grown organically over time.

Many businesses have information and tools spread everywhere. It's common to find that products and services were adopted because they were trendy or fit a niche requirement.

But like many pots of screws scattered around a junk-filled garage - it's hard to find what you need, and something important likely gets lost or forgotten.

This leads to wasted effort and increased risk.

Secondly - as you start to organise your information - it helps prioritise spending and effort.

  • What information should I back up to ensure business operations continue after a crisis?
  • Who should have access to the information? And how is access controlled?
  • What additional risks are involved that I need to consider?

Buckets of Sensitivity

Not all information is created equal.
But not all information is unique.

The most effective way to tame this problem is to think in terms of buckets of sensitivity. Here are four to consider:

  • HIGHLY CONFIDENTIAL information: Think of this as company-ending information.
  • CONFIDENTIAL information: What information - if disclosed would cause significant disruption? This information would cause the CEO to answer awkward questions.
  • INTERNAL information: This is the vast majority of information you hold. It can be identified by asking: What information is used internally, but I wouldn't lose sleep if it leaked?
  • PUBLIC information: What information does the world know - including all our competitors?

Each bucket needs a specific backup, access, and risk profile.

In time - labelling individual documents with their relevant bucket will help tools detect when information is in the wrong place - and prevent accidental disclosure. But to start, simply grouping data into these buckets is helpful.

This leaves the question - What type of information goes into each bucket?

Choosing Which Bucket to Use

Simply put - all data needs to be considered. But there are four general types of data to consider: regulated, business operations data, intellectual property & trade secrets, and public data.

Regulated data is data that has legal liability attached. And - if you get it wrong - then there are material financial or business-ending consequences that will be imposed on you.

Commonly this is payment information - that can be outsourced to specialist providers such as Stripe or Sum-Up.

But it also covers privacy regulations - like UK's GDPR and California's CCPA. Depending on the type of data you collect, this information must go into the CONFIDENTIAL or HIGHLY CONFIDENTIAL bucket.

Intellectual Property & Trade Secrets covers data that makes your business different and unique. That may be the sum of many micro-actions and decisions or a secret formula that needs to be protected.

But most commonly, this is about future plans - products and services that are in development. On the people side - this effort is probably separated from day-to-day business, with only a select few asked to be involved.

The challenge is ensuring this is the case on the data side too. This information will be HIGHLY CONFIDENTIAL.

Business Operations Data covers the vast majority of day-to-day business information. Suppose the information falls outside the previous two groups and isn't available to your competitors. In that case, it goes in the INTERNAL bucket.

Public Data is your digital face to the world. Keeping track will reduce confusion, and this information clearly goes into the PUBLIC bucket.

However, the crucial step is identifying who decides what data is made publicly available and what process is followed. You should continually ask, "Do I want the world and all my competitors to know this information?".

As open-source software and "building in the open" becomes more prevalent - the scope of PUBLIC information is more than simply sales, marketing and social media.

Final Thoughts

The points above are not comprehensive. Instead, they offer direction on how to start.

As you work through your data, you will find nuance and details you may not have considered before. Concerns about data aggregation may arise, but starting and getting a foundation in place is vitally important.

May 9, 2023
4 Minutes Read

Related Reads

chalk board with math formulas

Fresh Thoughts #17: Foundations and First Principles

Cybersecurity doesn't need to be complicated. Here are 2 models to ask questions and find gaps.

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868