Discover the Facets of Information Governance: Information Security and Protection

October 29, 2018


Are you sure your data is safe? Your office probably has locks on the doors, but are similar measures taken to preserve data assets’ confidentiality, availability, and integrity? Discover this facet of Information Governance: Information security and protection. This activity’s goal is finding the right balance between burdening security measures and productivity, ensuring information is accessible, destroyable and editable only by appropriate authorized parties. Read on to find out what information needs protection from.


An important security concern: Data Breaches

Malicious or criminal attacks are the most common cause of data breaches. In a 2017 report, the SANS Institute states that email is still the most common vector of cyberattack, with web browsers landing the second place. Email phishing is a very popular method for cybercriminals as it's easy and proven. These attacks are really sophisticated and it’s easy to fall for them. If you got an email from your boss asking for a password, would you oblige? Unless you could recognize the usurpation, probably. If you are skeptical, read what happened to Mattel in 2015.


Other causes of Data Breaches

The two other most common causes of data breaches mentioned in the 2018 Ponemon report are human error and system glitch. Human error is defined as an end user failing to follow processes and policies. For instance, an employee sending a sensitive document through email without encryption even if he knows it’s against policy could be the cause of a data breach. The only condition is that the document falls into the wrong hands.


Potential results of a breach

If your business stores intellectual property, personal identifiable information, payment card information or personal health information, the consequences of a breach will be disastrous. The leak of intellectual property is catastrophic for a business, sure, but the leak of personal identifiable information is catastrophic not only to a business but also to the people affected. And the regulations protecting this kind of information are no joke.


4 ways data breaches can affect an organization

  1. It can cost a lot of money. Responding to the attack has a cost, hackers may wire money to their accounts, regulatory fines may have to be paid, every person affected by a breach has to be notified and compensated, and damages caused by an intrusion have to be fixed.

  2. It can damage brand image which increases the client churn rate, especially if the affected organization has a lot of competitors.

  3. Intellectual property can be stolen which can put businesses in peril. With a data breach, Caramilk could kiss goodbye the secret of how they get caramel into their chocolate bars.

  4. It can cause downtime or slow systems resulting in productivity and/or profit loss.


Other security risks

Data breaches are an important risk factor, but they are not everything. Other risks scenarios such as natural disasters, equipment theft, fires, and so on, should be considered and planned for. The goal is to have a continuity plan, whatever happens.


Why is Information Security and Protection a facet of Information Governance?

Information Security and Protection is a facet of Information Governance because it reduces information risks. Good Information Governance practices help protection activities because data audits help identify and secure valuable content, and constantly improving security measures reduce the odds of successful attacks. An Information Governance frameworks plans for the unpredictable, therefore protecting information’ confidentiality, availability, and integrity.


When wondering if investing in security improvements is worth it, a quote from Gene Spafford, leading security expert, is food for thoughts:

“The only system that is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.”

Your system obviously can’t be plugged off and buried in concrete because security needs to be balanced with productivity, but are the measures in place enough?

This article is the second of a series of ten. Click below to discover more facets of IG:

  1. Compliance
  2. Information Security and Protection
  3. Privacy
  4. Audit