top of page

The Monthly Cyber Resilience Series: Data Classification, Encryption and Access Control in Practice

  • May 29
  • 4 min read

Why Not All Data Is Equally Important

In our previous article, we discussed the importance of understanding the information your organisation holds. However, once you have created an inventory of your data, a new challenge quickly emerges. How do you protect all that information?


At first glance, the answer seems straightforward: protect everything equally. In practice, that is almost impossible. Organisations work with hundreds or thousands of documents, databases, emails, reports, and business records every day. Some of these could be made public without causing any harm. Others could result in significant financial, reputational, or legal consequences if they fell into the wrong hands.


This is why effective data protection does not begin with technology. It begins with understanding the value of information. In other words, before deciding how to protect something, you need to understand how important it is.


Classification as the Foundation of Protection


Imagine your office contains four filing cabinets.


The first contains marketing materials and documents intended for public distribution. The second contains internal procedures and working documents. The third contains contracts, financial reports, and business plans. The fourth contains employee records, customer information, and other sensitive data.


Would you leave all four cabinets unlocked? Of course not. Yet this is exactly what often happens in digital environments. When organisations do not classify their information, everything ends up stored in the same locations, protected by the same controls, and accessible to the same groups of people. The result is that valuable resources are spent protecting less important information, while truly critical information may not receive the attention it deserves.


A good classification scheme does not need to be complicated. For most organisations, four categories are sufficient:

  • Public – information that can be shared openly without concern.

  • Internal – information intended for employees and trusted partners.

  • Confidential – information whose disclosure could harm the organisation.

  • Sensitive – information whose compromise could result in serious consequences for individuals or the organisation.

Once information has been classified, it becomes much easier to determine what level of protection is appropriate.


What Encryption Actually Does


Encryption is one of the most frequently used terms in cybersecurity, but also one of the most misunderstood. Many people see it as a kind of magical protection that solves every problem. In reality, encryption has a very specific purpose. It ensures that information remains unreadable to anyone who does not possess the correct key.


This means that even if an attacker steals a device or obtains copies of files, the information itself remains useless unless it can be decrypted. Today, most modern operating systems provide built-in encryption capabilities. Yet many organisations still fail to use them consistently. Particular attention should be given to:

  • employee laptops

  • portable storage devices

  • backup systems

  • cloud storage platforms

These are often the locations where the organisation's most valuable information resides.


The Most Common Problem Is Not Hacking - It Is Excessive Access


When people think about data protection, they often imagine external attackers. However, many security incidents arise from a much simpler problem. Too many people have access to too much information. Over time, employees change roles, projects end, contractors come and go, and organisational structures evolve. Yet access permissions often remain unchanged. The result is an environment where individuals continue to have access to documents and systems they no longer need. This increases the likelihood of:

  • accidental mistakes

  • unintended data exposure

  • misuse of compromised accounts


This is why modern cybersecurity programmes emphasise the principle of least privilege. The idea is straightforward: Every individual should have access only to the information required to perform their job. Nothing more. Nothing less.


Trust Is Good, Audit Trails Are Better


Another common mistake is assuming that restricting access is enough. In reality, it is equally important to understand what happens after access has been granted.

  • Who opened the document?

  • Who downloaded the file?

  • Who modified the information?

  • When did those actions occur?


The answers come from audit logs and access records. Without them, investigating incidents becomes significantly more difficult, and in some cases nearly impossible. This is why mature organisations do not only protect information itself. They also protect and maintain the records that show how that information has been used.


Security Is Not a Project - It Is a Process


One of the biggest misconceptions in cybersecurity is the belief that data protection can be solved through a single project or technology purchase. Information changes. Organisations change. People join and leave. Business priorities evolve. As a result, organisations must continuously review:

  • who has access to which information

  • whether data is being retained longer than necessary

  • whether protection measures remain appropriate

  • whether new legal, regulatory, or business requirements have emerged


The most successful organisations do not treat data protection as a technical exercise. They treat it as an ongoing process of risk management.


Conclusion


Data classification, encryption, and access control may not sound as exciting as artificial intelligence, ransomware, or sophisticated cyberattacks. Yet these three areas form the foundation of modern information security. When an organisation understands the information it holds, recognises its value, and controls who can access it, it significantly reduces the impact of almost any security incident. In the end, cybersecurity is not primarily about technology. It is about managing and protecting the information that has been entrusted to you. And that responsibility begins with understanding what matters most, who should have access to it, and how it should be protected.

Comments

Badge.png

CSEC

t. +387 33 448 280

e. csec_official@csec.ba

a. Gradačačka 114

    Sarajevo, Bosnia and Herzegovina

White BA logo.png

The establishment of CSEC has been supported by the UK Government.

Subscribe to Our Newsletter

Thanks for submitting!

Follow Us On:

  • Facebook
  • LinkedIn
  • Instagram
  • Twitter
bottom of page