Analyse your data: if you do not, you cannot say what to protect, how much to spend or how to do it.
That is the message visitors will hear at the RSA security conference that opens in San Francisco next week.
Speaking at a show briefing, Nick Selby, an analyst with the 451 Group, said, "Companies that cannot classify their data cannot control it."
Recent research by his company covering more than 300 global firms had shown only 37% had tried to see what data they actually had and where they stored it. Only 20% had looked to see where, with whom and how that data was exchanged, he said.
"Some 25% had a data classification scheme, but enforcing it was a complete mess," he said. This allowed increasingly sophisticated and well-funded attackers to exploit gaps to go after sensitive, crucial information. Target data included financial and customer data as well as intellectual property such as designs and formulas, he said.
Paul Stamp, an analyst with Forrester Research, said if some information was vital to a company, it would leak accidentally or come under attack. "Every firm is unique in what data are crucial to them," he said. "If they cannot quantify the risks of losing them or having them compromised, they cannot not find the right tools to protect them."
Selby said, "By volume, 99% of data breaches are caused by stupidity." He said companies need to develop a security awareness, starting at the top, so that staff do not act rashly.
Companies had to back up security training with practical and enforced usage policies to change behaviours, he said. Tools such as identity and access management systems could help monitor and control behaviour.
Threats from "the cloud" or cyberspace, such as port sniffing, code injection, Trojans and phishing, could be defeated by greater use of code-checking software and intrusion detection and prevention tools, he said.