Why classification and protection matters for internal sensitive information is clearly shown in this article: http://www.portfolio.com/news-markets/national-news/portfolio/2008/01/14/Media-Defenders-Profile?print=trueExcerpt:%22verify as internal, unpublished information belonging to MediaDefender was stolen by a hacker who had penetrated their network.

If you are hacked, and you have sensitive information unprotected, and available to any user with a logon ID, you are susceptible to loose this information to the hacker who have penetrated your firewall. It goes to show that the only way to truly protect your information is to deploy a defense in depth solution where sensitivity of your documents are taken into account as well as your traditional perimeter defenses.

If the documents had been encrypted, it is not so likely that these documents would have been of any use to this hacker, and the impact to the organization would have been lesser.

What does such an attack, and subsequent loss of sensitive information mean to this organization's reputation and future revenue stream?

Then there is of course the loss of a laptop in Britain by the Royal Navy, containing information on 600,000 individuals of which the information was not encrypted, quote ""The HMRC data leak happened two months prior to this theft, but apparently the personal data on the Royal Navy laptop was not encrypted despite the easy availability of such software." Article can be found here: http://www.vnunet.com/vnunet/news/2207687/royal-navy-laptop-stolen. The junior officer may face court martial, but I believe the real failure is organizational, and not so much personal. What type of awareness and training in protecting information is given? Is the right set of tools available to personnel helping them identify the sensitive information they are in charge of? Do the personnel have available to them tools that allows them to easily protect the information?

For organizations, I believe it is paramount that they start looking at the ways they can support their users through easy to use classification and protection schemes. What happens if a laptop is lost or stolen? What happens if a laptop is breached through the internet? Being able to answer these questions with a statement such as, yes we had an unfortunate loss, but the information was protected with encryption, would be quite different, and probably wouldn’t make headlines impacting your organization's reputation.