As defined in Wikipedia:
Unstructured Data (or unstructured information) refers to information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain data such as dates, numbers, and facts as well. This results in irregularities and ambiguities that make it difficult to understand using traditional programs as compared to data stored in fielded form in databases or annotated (semantically tagged) in documents.
So, why would a member of a management staff, an IT staff, or an everyday user care about unstructured data? Simply put, many have very large exposure in their organizations because of unstructured data and are not even aware of it. How can this be when we know where our data resides? While that may be true, do you know WHO has access to that data internally? Truth be told, many organizations think that they have a handle on who can get to what, but, unless they truly have a process in place to track this, they most likely don’t.
To illustrate, let’s use an example of something that we hear all of the time in the IT industry. Tom, the IT director at XYZ Corporation, is approached by Mary, the Office Manager, and she has a new employee (Brandy) starting on Monday, and, of course, today is Thursday. Mary then tells Tom that Brandy will be in Accounts Payable and to set her up like Tony in the Accounts Payable department. So, that mean that Brandy and Tony will have the same file level access. This all seems very logical. The kicker is that Tony started out in HR and later changed over to Accounts Payable, and his file level permissions were never changed. Now, we have a brand new employee that has access to all personnel files, including salaries, etc. This type of thing happens all of the time, creating massive exposure for companies.
In this day and age, another huge buzz word is “security.” Many companies have regulatory requirements that they must adhere to, such as HIPAA, SOX, PCI, etc. Without management of the unstructured data on the network, there may be files with social security numbers, bank account numbers, credit card numbers, etc. in areas that are open to people that should not have access. This is just one of the violations that can result in lack of true data management. There is also the concern regarding who recently changed the data and tracking the changes on that data. Also, what if an employee is copying data off of the network because of some personal vendetta? There are so many areas that a lack of management of unstructured data can cause a company harm.
The key to all of this is to understand where you are as a company when it comes to data management. Let me tell you that, in many cases, just managing through Microsoft Active Directory is not enough, especially given that many network administrators are inheriting a network that was already set up and may not have data management procedures in place to the extent they should. Therefore, you should ask the following: How do we know who has access to what at the network file level (and can we run a report on it)?
Can we be sure that no social security numbers, bank account numbers, salaries, or credit card numbers are in random files on the network, or that, if someone transfers files off to a USB and takes it offsite, that we will even know? Moreover, can we tell who made changes to files or moved them? These are just a few initial questions to ask, and, based on your industry, there may be many more.
If the answer to any of those questions are “no,” then you may be exposed as a company. There are tools available in the industry to assist and remove these exposures, and, while some may be a significant financial investment, often that investment is a fraction of the cost of what an exploited exposure could cost a company in real dollars or soft cost because of a hit to reputation.