BreachExchange mailing list archives
Protecting our wealth of information
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 7 Jan 2015 20:09:18 -0700
http://www.canadait.com/index.php/security/1056-protecting-our-wealth-of-information#!/ccomment In 2006, an employee of the Coca-Cola Company was arrested and charged with attempting to sell the drink maker’s coveted secret recipe to PepsiCo. While the theft and sale of a trade secret held in privacy for over a hundred years would have been one of the most famous heists of the 21st century — at least for the beverage industry — even in its failing, for us it’s a high profile example of what every single large business has to worry about on a daily basis: the governance of information. For most companies though, information governance is about more than just a brand’s magic formula. In today’s society, knowledge drives everything, and the power of data — not to mention the volume of data — is always increasing. It’s an asset worth trillions, and it’s critical to every link in the value chain of an organization, which means that new information is created every millisecond. All of that growing data needs to be managed, it needs to be secured, and it needs to be shared. And that needs to be done effectively by everyone who touches it. Frequently, though, people mistake information compliance for information governance, but the difference is an integral one. While working towards compliance is an effort to satisfy outside regulations, governance can actually help achieve innovation and growth inside the company. A well-run information governance plan is the single source of truth in a business. Those plans must therefore be created to maximize value and minimize risk, ensuring data works for the company instead of against it. An effective plan should therefore be focused on productivity, transparency and security. When we talk about productivity reliant on data, what we’re really talking about is the way we store it, the way we retrieve it and the way we use it and share it. Every aspect of an information governance strategy should be weighed against the benefits it can bring to a company — and how those meet the company’s business objectives. The more efficiently data can be accessed, the more agile the business can be to make important changes to their overall plan and the more productive they can become as a result. As an example, a major source of frustration for many companies these days is what’s often called “knowledge drain” or “corporate amnesia.” With higher-than-ever turnover rates and an aging workforce in certain industries like local government and utility companies, the knowledge of processes, of project-specific information and of best practices can over time begin to disappear with the employees. An effective information governance plan is structured to store that knowledge where it can be accessed by everyone, leading to less time spent on-boarding new hires. But, with so much data coming from employees themselves — especially as many companies move to enact Bring Your Own Device programs or encounter employees using consumer-grade file sharing systems — how do we make sure that it’s being recorded accurately? That’s the importance of automation. Enforcing new processes and protocols for virtually every employee company-wide is a daunting task. We’re now at a point when so much data is being created that the recording of it cannot realistically be done by human hands. Adopting manual systems can often lead to decreased productivity and accuracy, not to mention employee morale. As a result, many companies are switching to automatic software solutions that work as a transparent layer below any current file management systems — to their employees, there are no changes in process and no impact on productivity. This transparent layer provides another added value as well, though: the ability to augment security, both behind the company firewall and in the cloud. With these more sophisticated software solutions, not only is data protected from outside access, but it is also safeguarded by potential internal leaks as well. Tracking and managing who can access data and when is essential in many cases. Would this have prevented the Coca-Cola breach? Perhaps not, but in certain circumstances, like one that affected an Ontario hospital this summer, it could have helped. When two employees were discovered to have sold confidential patient information to RESP companies, it was a document left on the printer than incriminated one of them. With an information governance plan that included access restrictions and access tracking, the breach would have been discovered and fixed almost immediately. In fact, according to the Toronto Star, since the incident the hospital’s records have moved to exactly such a system. And as it should — healthcare is one of the most regulated fields when it comes to information compliance. Too frequently, companies in this and other regulated sectors are reactive when it comes to new compliance laws: when a change is mandated, they struggle to keep up. For obvious reasons, regulations are the number one driver for information governance, according to 70 percent of data management professionals in a Q1 2013 Data Governance survey. But compliance, while very different in its objective from governance, can be made easier with the help of a solid information governance plan and a well-built system to enact it. We should be looking forward to how we can prevent issues before they become issues, how we can increase the productivity of data before the amount of it becomes too much to handle under our current business models, and how we can do it in a way that makes our employees’ lives easier. In 2006, the savior of the Coca-Cola Company was actually its biggest competitor: PepsiCo reported the breach to the authorities and were responsible for the arrest of the rogue employee. This won’t always be the case. We should already be governing how our information is used, so our competitors don’t have to do it for us.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Protecting our wealth of information Audrey McNeil (Jan 14)