You may have noticed that there has been a large amount of data and information leaking out into the universe lately. Between people not protecting information, breaking rules around information, or your classic data breach, our personal information is out there, without us, more than ever.
The one thing I hear after every breach is the call for better Information Governance or Records Management. As Don Lueders, whom I respect, put it,
So called ‘data breaches’ are thefts of information and, as such, they are first and foremost a traditional records management problem. Until organizations understand this and include records management as a critical component of their long term cybersecurity strategy, data breaches – and the disastrous consequences they bring – will continue unabated.
I’ve said this before and I’ll say it again, this is a false sense of security. Disposing of records will not keep you out of the headlines. It will only give you a false sense of security.
There is Always Sensitive Information
Let’s face it, you can delete all the information you want. Even if you magically identify and delete everything that is no longer needed, ignoring any historical or regulatory value, there is always some piece of information waiting to make headlines.
As Don referenced, in 2015 the U.S. Office of Personnel Management (OPM) had 21 million records stolen. This was information compiled from government clearance background investigations. My information was stolen as was key data about everyone I referenced on my clearance form.
This is bad and I was upset. However, better enforcement of the records policies would have made little difference. Two million records would still make headlines and there are likely many reasons they needed more than that many on-hand.
Additionally, that information has value. Any person beginning a new clearance process will be cleared faster if the old information is available for investigators to reference.
Consider the Sony email breach. There were a lot of embarrassing emails shared with the public. Many were only months old. How can disposing of emails at a faster pace protect you when people are writing potentially damaging emails every day?
Risk versus Value
We didn’t have these problems when we had paper records. We also couldn’t analyze our data to find answers. Sometimes a written request for information would take two weeks (after it was delivered by postal service) to get to a person who could answer the question.
Storing offline doesn’t solve the problem. Information needs to be accessible to people. Records are being kept because the information might be needed. The question is, How do you balance risk against value?
The problem with information’s value is that you never know when it will matter. As better analytics come forward, the potential value of your older information grows. Past trends can be analyzed to predict future shifts. Algorithms can be developed to study past fraud cases to flag new potential fraud cases.
You have to have information to achieve those value building results.
Even neglecting the potential future value of information, and the historical value, there are laws and regulations that require some records to stay around for years. That is the reason records management exists. It isn’t to dispose of records. It is to preserve them as long as necessary. After that time has elapsed, then you are permitted to dispose of the records, not required.
The answer is security. It isn’t the airtight security that forces people to find ways to work around the “approved” tools. It is many layered:
- Train staff to recognize when they are being targeted for information. Social engineering and phishing are just the tip of the iceberg. Training needs to be ongoing as the threats evolve.
- Two factor authentication integrated with Single Sign On (SSO) helps limit authentication hacking.
- System patching matters. The sooner an exploit in your system is patched, the sooner the window of opportunity for hackers vanishes.
- Network monitoring to watch for unusual behavior in the network is critical. Something will get inside. You need to see it happening early so you can shut it down.
- Encryption of data at rest actually matters. Two decades ago, it was inefficient and the belief was that if they got to the content you were already in trouble. While still true, it forces the hackers to hack the enterprise applications storing the information, which buys time and limits the value of the breach to the hackers.
There is a lot more to it. Security professionals can go on for hours about all the things that they can do to protect you. The items above are less intrusive to the people trying to get things done than many other options.
You have to let people work. People can work around any overly restricting security measure. When they do, your information ceases to be safe.
Just one change won’t make a difference. You have to have a comprehensive approach.
We Own It
There are a lot of things that we, both as individuals and organizations, can do about this. As people who use these “free” services, we can be more cognizant of what information we share and the settings that we select. As a society, we can push to punish those that misuse information or gain it through deceit. As part of an organization we can train our staff and deploy better security tools and processes.
One thing is clear, effective Information Governance includes security. You have to know where everything is and how it is secured. That locked file cabinet in your locked office in the secure building is no longer enough. Having it offsite in a secure storage facility with security cameras is no longer enough. Information has to be accessible to create value. Moving physical items like paper, optical disks, or other storage devices is clinging to 20th century mindsets in a 21st century world.
Keeping information analog or off-line will make your organization slow to respond. In case you haven’t noticed, the world is shifting quickly. Organizations have to adapt. Information professionals have to understand security basics so we can having meaningful and productive conversations with both security experts and the business that we serve.
Face it; hackers can get into any system. If they want to get into your system, they will. Invest where you can and you will at least keep the opportunistic hackers at bay.
Oh, and one last tip. Never boast about your security. Hackers love a good challenge.
2 thoughts on “Information Governance Can Limit Data Breaches But That Isn’t The Answer”
So true. IG or RIM will not change a bad headline. Who ever lost data that was only from 1990 that should have been destroyed? IG will identify what data needs tougher controls although humans always complain at having to follow tougher rules. Encryption at rest is growing but seems that is still not done enough. Humans will only improve so much via training so continue to build security in, force two factor authentication in helping to reduce the human factor.
Yep, improve on all fronts. You’ll never have perfect security in a system that has a reasonable User Experience. Of course all you really need is enough security to make opportunistic hackers move to the next target.
Comments are closed.