Your Data Is in Clear and Present Danger

Russia and North Korea are already waging cyber war against Europe. Nobody knows what happened with the Americans. At the same time, the Chinese are stealing our IP and bragging about it on TikTok.

And to make matters even worse, all the Tech Titans are in a cut-throat AI race where your data is the best fuel available. So to believe that your data in any Titan's cloud is not used to train AI is probably nothing but wishful thinking.

If there ever was a time for any CISO to rise and shine, the time is now

As a CISO, it has always been best practice to assume that bad actors already have access to our infrastructure. So we have spent our time on stuff like:

• Implement Least Privilege Access

• Patch Management and Vulnerability Scanning

• Deploy Endpoint Detection and Response

• Centralize Logging and SIEM Monitoring

• Apply Network Segmentation and Zero Trust Architecture

• Enforce Credential Hygiene and Secret Management

• Apply Security Configuration Baselines

• Conduct User Awareness and Phishing Simulation

To mention some of the top controls from any CISO's list...

But here's the kicker: nearly all of the above controls are useless when bad actors gain access to your unstructured data.

For years, we as CISOs have avoided taking a thorough look at our unstructured data. Primarily because it was super difficult, we were afraid of what we might find, and if our fears came true, there was very little we could do about it.

In 2025, Data & More started rolling out Security Classification as part of the standard GDPR compliance. Based on analysis of more than 4 billion datasets, the results are bad. Really, really, really bad.

What bad actors will find in your data

If you are a CISO in a 200+ FTE organization, chances are that any bad actors from state-run organizations will most likely find:

• Pentest reports in the mail. Thank you for the help!

• Infrastructure and network diagrams, which help take control of the infrastructure

• Inventory lists and versions, which reveal known vulnerabilities

• Active passwords to core systems such as HR, finance, and logistics (the production system seems to be better protected)

• Source code for custom development, making it extremely easy to hack and exploit

• Log files with vulnerabilities in clear text, making it really easy to identify weak chains

The list goes on.

If our analysis is correct (and 4 billion datasets concur), unstructured and unmanaged security information has turned out to be the weakest part of the majority of organizations' security frameworks.

However, we (Data & More) are not good enough yet. There is still security information that we have not identified.

What to do about it

If you are a CISO or simply interested in security classification, please join our new security network. We would like to hear from you: what kind of security data are you looking for? What are the unique identifiers for a specific security class, type, or security document?

Over the next 12 months, we will host a series of CISO hands-on events where you can share your concerns and ideas on addressing security risks in unstructured data.

The meetings will be centered around a discussion of what constitutes security data, how we can identify it, what should be done about it, and how.

We plan to build the world's best classification of unstructured security data and make it open-source. Anyone can then take the classification we develop together and implement it in their favorite classification tool.

We have made our privacy monitor free for up to 250 mail users, and we will offer the security and privacy classification free of charge. Now is the time to work together. Please join by reaching out to us.

/D