Start with a simple but comprehensive Data Classification program and announcing it to staff
- If the data is on the organization website or in marketing material, it is public.
- If the data is shared internally and should only be stored on company owned devices, it is confidential and should be marked confidential along with the name of the data owner and never sent or stored on non-company owned (and maintained) hardware.
- If the data is proprietary, regulated or includes an identifier of any kind it is marked as restricted with the name of the data owner and any transmission internally or otherwise requires written authorization.
Follow up by making today the day all data gets marked going forward and commit to a quarterly goal of reclassifying all other data.