Letters | Why Cathay Pacific data breach should trigger talk about data classification for cybersecurity
- No matter how small or simple the business, data protection must be a priority and the starting point is data classification
- In seeking cybersecurity, we need to make sure we are aligning data protection strategies with the actual threat
This episode should be a wake-up call, reminding us that information security must not just confined to conferences attended by the big targets: finance and insurance.
First, we need to look at data protection as a cyber-risk problem, not a cybersecurity problem per se – and the two must not be mixed up. Second – and this is an uncomfortable truth – there is no such thing as complete security although there is an acceptable level of risk.
Most importantly, however, business leaders need to start paying attention to looking at a company’s cyber risk in terms of impact on customers, share price or reputation – and this applies to all companies, whether a supermarket chain or a food-delivery app.
No matter how small or simple the business, data protection must be a priority and the starting point is data classification: classifying data into distinct categories based on the sensitivity of the data and risk of harm if the data is breached. Such classification allows a business to effectively and efficiently align appropriate security controls, such as encryption or other access control measures, according to relative risk.