Protecting our wealth of information

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.canadait.com/index.php/security/1056-protecting-our-wealth-of-information#!/ccomment

In 2006, an employee of the Coca-Cola Company was arrested and charged with
attempting to sell the drink maker’s coveted secret recipe to PepsiCo.
While the theft and sale of a trade secret held in privacy for over a
hundred years would have been one of the most famous heists of the 21st
century — at least for the beverage industry — even in its failing, for us
it’s a high profile example of what every single large business has to
worry about on a daily basis: the governance of information.

For most companies though, information governance is about more than just a
brand’s magic formula. In today’s society, knowledge drives everything, and
the power of data — not to mention the volume of data — is always
increasing. It’s an asset worth trillions, and it’s critical to every link
in the value chain of an organization, which means that new information is
created every millisecond. All of that growing data needs to be managed, it
needs to be secured, and it needs to be shared.

And that needs to be done effectively by everyone who touches it.

Frequently, though, people mistake information compliance for information
governance, but the difference is an integral one. While working towards
compliance is an effort to satisfy outside regulations, governance can
actually help achieve innovation and growth inside the company. A well-run
information governance plan is the single source of truth in a business.
Those plans must therefore be created to maximize value and minimize risk,
ensuring data works for the company instead of against it. An effective
plan should therefore be focused on productivity, transparency and security.

When we talk about productivity reliant on data, what we’re really talking
about is the way we store it, the way we retrieve it and the way we use it
and share it. Every aspect of an information governance strategy should be
weighed against the benefits it can bring to a company — and how those meet
the company’s business objectives. The more efficiently data can be
accessed, the more agile the business can be to make important changes to
their overall plan and the more productive they can become as a result.

As an example, a major source of frustration for many companies these days
is what’s often called “knowledge drain” or “corporate amnesia.” With
higher-than-ever turnover rates and an aging workforce in certain
industries like local government and utility companies, the knowledge of
processes, of project-specific information and of best practices can over
time begin to disappear with the employees. An effective information
governance plan is structured to store that knowledge where it can be
accessed by everyone, leading to less time spent on-boarding new hires.

But, with so much data coming from employees themselves — especially as
many companies move to enact Bring Your Own Device programs or encounter
employees using consumer-grade file sharing systems — how do we make sure
that it’s being recorded accurately?

That’s the importance of automation. Enforcing new processes and protocols
for virtually every employee company-wide is a daunting task. We’re now at
a point when so much data is being created that the recording of it cannot
realistically be done by human hands. Adopting manual systems can often
lead to decreased productivity and accuracy, not to mention employee
morale. As a result, many companies are switching to automatic software
solutions that work as a transparent layer below any current file
management systems — to their employees, there are no changes in process
and no impact on productivity.

This transparent layer provides another added value as well, though: the
ability to augment security, both behind the company firewall and in the
cloud. With these more sophisticated software solutions, not only is data
protected from outside access, but it is also safeguarded by potential
internal leaks as well. Tracking and managing who can access data and when
is essential in many cases.

Would this have prevented the Coca-Cola breach? Perhaps not, but in certain
circumstances, like one that affected an Ontario hospital this summer, it
could have helped. When two employees were discovered to have sold
confidential patient information to RESP companies, it was a document left
on the printer than incriminated one of them. With an information
governance plan that included access restrictions and access tracking, the
breach would have been discovered and fixed almost immediately.

In fact, according to the Toronto Star, since the incident the hospital’s
records have moved to exactly such a system.

And as it should — healthcare is one of the most regulated fields when it
comes to information compliance. Too frequently, companies in this and
other regulated sectors are reactive when it comes to new compliance laws:
when a change is mandated, they struggle to keep up. For obvious reasons,
regulations are the number one driver for information governance, according
to 70 percent of data management professionals in a Q1 2013 Data Governance
survey.

But compliance, while very different in its objective from governance, can
be made easier with the help of a solid information governance plan and a
well-built system to enact it. We should be looking forward to how we can
prevent issues before they become issues, how we can increase the
productivity of data before the amount of it becomes too much to handle
under our current business models, and how we can do it in a way that makes
our employees’ lives easier.

In 2006, the savior of the Coca-Cola Company was actually its biggest
competitor: PepsiCo reported the breach to the authorities and were
responsible for the arrest of the rogue employee. This won’t always be the
case.

We should already be governing how our information is used, so our
competitors don’t have to do it for us.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!