Discover the Facets of IG: Information Security and Protection
“The only system that is truly secure is one which is switched off and unplugged, locked in a titanium-lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.”
-Gene Spafford, leading security expert
You protect the physical assets within your office with locks on the doors, and an alarm system. But are you taking adequate measures to preserve your data assets’ confidentiality, availability, and integrity? A recent study shows that 21% of all files in organizations are not protected in any way as they are open to everybody. If you don’t know for sure what’s in your 21% of unprotected files, you could be at risk of legal and regulatory sanctions in case of breach. Or you may be at risk of paying to get useless files back in the case of a ransomware attack. More importantly, the 79% that is protected in some way, might still be at risk. That is because of insider threat, phishing attacks designed to steal credentials, and also because many firms don’t implement even a basic data access governance program. Discover this facet of Information Governance: Information security and protection. It’s all about finding the right balance between security measures and productivity, to ensure critical information is accessible, but only by the right people.
Inbound and outbound security
Budgets for inbound and outbound security keep growing. Which is good because consumers trust companies to take care of their personal data. Viruses and malware are blocked and information breaches are prevented daily. But inbound and outbound security can’t always stay ahead of the bad guys. So minimizing the impact when there is a breach is vital.
The insider angle
The weakest point in any system is the people who use it (as proven another time by the Desjardins breach that was recently announced. Read about it here). What stops the users of a system from messing with the data it contains? Apparently, not much. And that’s because data access governance (DAG) is challenging. And because it’s such heavy lifting it’s almost never done. Most users have access to data that they don’t need to perform their duty, and have the permissions to use it however they want. Let’s not panic here, your colleagues are (most likely) not malicious people. They are just that, people. And most data breaches caused by insiders are mistakes due to a lack of training or a bit of negligence.
The lack of rigorous data access control opens a large crack in the door for social attack engineers. Tricking a user into revealing their credentials might provide access to way more high-value information than what the specific user needs in his role. If you are skeptical of the potential efficiency of phishing attacks, read what happened to Mattel in 2015.
Potential results of a breach
If you don’t have a DAG program and your organization stores intellectual property, personally identifiable information (PII), payment card information or personal health information, the consequences of a breach will be disastrous. The leak of intellectual property is catastrophic for a business. And the losses can be calculated in hard dollars. The leak of PII is catastrophic not only for businesses but also for the people affected, and can lead to human misery (As proven by the Ashley Madison breach). Privacy is a human right, and regulations are starting to adjust to the new technological landscape to better protect it. Which means worsening consequences for the organizations who mess up and divulge PII.
4 ways data breaches can affect an organization
The obvious, money wise. Responding to the attack has a cost. Hackers may wire money to their accounts. Regulatory fines may have to be paid. Every person affected by a breach has to be notified and compensated, and damages caused by an intrusion have to be fixed.
Brand image. Data privacy is a selling point and the loss of confidence increases client churn, especially for organizations with a lot of competitors.
Intellectual property can be stolen. With a data breach, Caramilk could kiss the secret of how they get the caramel into their chocolate bars goodbye. Lots of companies have suffered serious damage due to IP theft.
It can cause downtime or slow systems resulting in productivity and/or profit loss.
Other security risks
Data breaches are an important risk factor, but they aren’t everything. Other risks scenarios such as natural disasters, equipment theft, fires, and so on, should be considered and planned for. The goal is to have a business continuity plan for whatever happens. For (much) more details on security and privacy controls for information systems read the National Institute of Standards and Security (NIST) 800-53 rev 5.
Why is Information Security and Protection a facet of Information Governance?
Information Security and Protection is a facet of Information Governance because it reduces information risks. Good Information Governance practices help protection activities because data audits help identify and secure valuable content, information lifecycle management reduces organizations’ attack surface, and constantly improving security measures, policies, and training reduces the odds of successful attacks. An Information Governance framework doesn’t protect against the unpredictable. But it does minimize disruptions and impacts on the confidentiality, availability, and integrity of your data.