Do you know where your data is?
Think of Donald Rumsfeld's quote about weapons of mass destruction in 2002 – “There are unknown unknowns”. Strange as this may be, in terms of data, you need to know what you have, where it is, who owns it, and what it contains. You cannot protect what you do not know about. Manually search for data or use automated discovery tools to identify data. It may be everywhere in laptops, desktops, phones, SharePoint, OneDrive, databases, cloud, and paper form.
Data classification
To protect something, you need to know its classification and value before considering protection/control measures. Public, internal, confidential and strictly confidential are decent commercial levels. Classification is done globally in three ways:
- User classification: get the user to select a classification in Word, Excel, PowerPoint or when sending an email.
- Content classification: done by automated tools inc. DLP to assign a classification based on the contents. I.e. credit card, IBAN, SSN, general regex or a list of dictionary words.
- Context classification: assign a classification based upon characteristics like: extension, where it came from, person’s username, time, date, file name, etc.
Is it really critical? Offline it
Do you store ultra-sensitive data? Consider off-lining it, a method used by some organisations, usually within the government, military or defence contractors. Airgapping is the technical name. Create two networks or two computers—one for general documents, internet, and email use, and another for storage of ultra-sensitive data, which has no connection to the outside world. Remove the internet connection, and the only way to get in is physically. Wi-Fi, Airdrop, and Bluetooth need to be removed as well.
Use DLP (data loss/leakage prevention)
DLP is either a dedicated endpoint agent, done on the network (NDLP), in email, or web filters, and everywhere else you can imagine. It checks content leaving the organisation and can even decrypt TLS traffic. If you need to be PCI-DSS compliant, check for card numbers, CVV, expiration dates and keywords in outbound emails, web traffic, Bluetooth, Airdrop, and being moved to CD/DVD/USB devices.
Access control
If someone is working in accounts payable or accounts receivable, someone in lingerie buying does not need to see such data in a web-based CRM or network share. Use different ACL groups to restrict access and generate alerts if someone who should not see it tries to access it.
Integrity via digital signatures
Documents or emails can be edited post “final” versions or post contracts are agreed upon. For £20 or so a year you can get a private/public key, which can sign emails and files. Once a file is changed, it offers the following: authenticity, which means you know who edited/signed the file, and it has not changed since signing.
Encrypt sensitive files
Protect files using encryption, this will make it difficult for other departments to open files and also offer protection when transferred outside of the company by email, USB, or disc. Microsoft Office offers basic password protection as standard, but it’s advisable to use a paid-for product if your data is more sensitive.
Backups
No data equals no business. Think of a hairdresser salon that loses its bookings database; they would not know who is coming or their proposed income. See the backups pages for more details.
Destroy old data
For paper, the option is to shred and, ideally, crosscut. If you have a laptop/desktop/Mac, you can physically destroy the drive or use overwriting software to sanitise it so it can be reused, donated, or sold. Single files can be overwritten on operating systems, which stops recovery and bypasses the recycle bin. Don’t forget data in the cloud, if you part ways with the cloud provider, remove data before exiting.
Document standards/policies
Ask most staffers what the classification schema is or where information security policies are, and most will have no idea. Have them stored in a central point accessible to all, and advise staffers where they sit.
Train your data
The phrase “your staff is your weakest link” is a bit dated and offensive. It is your responsibility to train them in general data handling and general cyber security. Go beyond CBT (pre-rec) training.
Location
If you are a business, charity, or government department, it’s a good idea to store all your data within the UK or EU. The UK Data Protection Act (or GDPR era) prefers data to be stored within the UK or EU.
Do not store on a web server
A good rule is to only store on a website what you want the public to see. Web servers are in the public domain and data can be 'crawled'. ACS: Law was caught out because private data was held on a web server and was subsequently leaked, thus generating bad PR.
Remove access
Keep an eye on what access staff have, and if anyone leaves the firm as part of JML (joiners, movers, leavers), remove access the day/hour they leave.
Filter websites and control CD/DVD/USB access
CD/DVD drives are seldomly seen these days, but a few might be knocking around. Disable such drives either by software or hardware means. The same goes for USB devices and SD cards as well.
Consider DRM (digital rights management)
Once data has left the firm by email, web, CD/DVD, or USB, there is typically nothing you can do unless you use DRM. This uses encryption, signing and an internet connection to control data so you can remotely lock files or stop them being printed even days after they left your organisation.
Use AI with caution
ChatGPT or Grammarly might be great and free, but what happens to your data? Use web filtering policies or DLP to control the transfer of company classified data to such tools or websites. DeepSeek is new as of 2025. Chinese, American or British, they all mine the data ingested into them.