What does an organisation mean by the term 'confidential'? How does it actually apply in practice - does it actually fit with the day to day activities of the business? Do people use the term in anger? And, most of all, is it enforceable?
Some organisations can tend to bandy around such words without really having a clear idea what they stand for or, indeed, what we should do about them. While very few companies are what we might term 'best in class' for in our experience, implementing best practice around document markings does not have to be onerous.
From working with clients we know that businesses working in more regulated sectors tend to over-classify information, preferring to protect more than is necessary rather than being caught out. While an "If in doubt, keep it in" approach does make corporate documents more secure, it can add unnecessary, potentially avoidable cost.
Meanwhile, unregulated organisations tend to under-classify information. The factors behind this are complex and, potentially, difficult to unpick but are often based on a lack of adopted process around information management. While procedures may exist they can be out of date or, quite simply, the pervading attitude is one of, "Well, nobody else does it." If the bulk of existing documents are unclassified, why bother?
From a security manager's perspective, this backward inertia can be frustrating. In response, a straightforward question to ask is, does it really matter? To answer this requires looking at the business model of the organisation and understanding what information really deserves to be marked as confidential, and why.
For example, the sales planning department of a retailer may be emailing forward pricing information in clear to suppliers and partners, or senior management may be reviewing draft financial data and storing it on laptops. Given that risk is probability times impact, it is possible to present a view of whether corporate risk is being pushed to unnecessarily high levels due to an absence of basic controls.
If senior management choose to then ignore such information, that is their prerogative. Like seat belts on cars, the pervading attitude might be that accidents always happen to other people - but sufficient examples of laptop theft, data leaks and other such happenings suggest otherwise.
Alternatively, even the most laxadaisical of organisations should be able to recognise certain information types that should absolutely be treated as confidential, and deal with them accordingly - for example by using existing document markings, password protection or available rights management mechanisms.
Asking questions around information classification can be a tough call, but that doesn't mean it shouldn't be asked.
Do you have any questions? I look forward to discussing this topic with you. Feel free to post your comments below.