Carefully Classified: Understanding Information Classification
Have you ever accidentally sent a group email that contained all the recipients’ addresses in the ‘CC’ field? While this can be an innocent mistake in a personal email, including others’ contact details in a professional email could constitute a data breach
Information classification is vital in maintaining your organisation’s reputation and future, so we’ve created the following blog to help explain what it is, why it’s important, and how to do it.
What is Information Classification?
Information classification is a way of categorising and concealing sensitive information so that it is only seen by those authorised to do so. It defines how confidential information should be handled and protected. For example, your organisation could have a number of classifications, including Public, Private or Restricted.
Your workplace policy should highlight the manner in which each classification is communicated. Remember, disclosing confidential information to unauthorised sources can lead to loss of productivity, customers, reputation and public trust, even if it’s accidental.
However, not all information requires the same protection.
What Should I Classify?
You should consult and familiarise yourself with your organisation’s policy regarding information classification as there may be specific practises you need to be aware of.
However, confidential information, which is not already publicly available, must not be divulged with anyone who is not authorised to access it. The format of this information will vary and therefore requires different methods of classification:
- All physical documents need to be classified.
- Lock all physical documents that contain confidential information away when not in use.
- When sending physical documents, remember to include a return address, mark the envelope ‘addressee only’ and do not include the classification level on it.
- Digital files containing confidential information should be password-protected on secure networks.
- Employees should only be able to access information if they are authorised to.
Removable Data Storage Devices
- You can place digital files in password-protected folders to reduce the risk of unauthorised access on removable data storage devices.
- Remember, they have a high risk of loss or theft due to their portability and should be locked away when not in use.
- Email accounts should be adequately password-protected to stop unauthorised individuals from accessing them. If you’re unsure what is adequate, we have recently written about creating the perfect password.
- The classification level should always be added to the subject line, and the information should be encrypted to ensure only the intended recipient sees the email’s contents.
- Remember to use the ‘CC’ and ‘BCC’ fields correctly. Including addresses in the Carbon Copy (CC) field means that those recipients’ addresses will be visible, whereas Blind Carbon Copy (BCC) will keep their addresses hidden.
Why Should I Classify?
Information breaches can have serious consequences for you and your organisation. Due to the GDPR, your organisation could be given a fine of up to €20 million or 4% of its annual turnover, whichever is greater.
Remember, even though the GDPR only applies to the personal data of EU citizens, the UK Data Protection Act (2018) is in place and includes the six security principles of the GDPR.
On top of this, your organisation could suffer reputational damage from a data breach, meaning you could lose relationships with customers and clients due to damaged trust.
To learn more about our Carefully Classified course or any of our other award-winning courses or services, get in touch or book a web demonstration.