Information Governance Can Limit Data Breaches But That Isn’t The Answer


Spocks Brain is Gone, the ultimate in data theftYou may have noticed that there has been a large amount of data and information leaking out into the universe lately. Between people not protecting information, breaking rules around information, or your classic data breach, our personal information is out there, without us, more than ever.

The one thing I hear after every breach is the call for better Information Governance or Records Management. As Don Lueders, whom I respect, put it,

So called ‘data breaches’ are thefts of information and, as such, they are first and foremost a traditional records management problem.  Until organizations understand this and include records management as a critical component of their long term cybersecurity strategy, data breaches – and the disastrous consequences they bring – will continue unabated.

I’ve said this before and I’ll say it again, this is a false sense of security. Disposing of records will not keep you out of the headlines. It will only give you a false sense of security.

There is Always Sensitive Information

Let’s face it, you can delete all the information you want. Even if you magically identify and delete everything that is no longer needed, ignoring any historical or regulatory value, there is always some piece of information waiting to make headlines.

As Don referenced, in 2015 the U.S. Office of Personnel Management (OPM) had 21 million records stolen. This was information compiled from government clearance background investigations. My information was stolen as was key data about everyone I referenced on my clearance form.

This is bad and I was upset. However, better enforcement of the records policies would have made little difference. Two million records would still make headlines and there are likely many reasons they needed more than that many on-hand.

Additionally, that information has value. Any person beginning a new clearance process will be cleared faster if the old information is available for investigators to reference.

Consider the Sony email breach. There were a lot of embarrassing emails shared with the public. Many were only months old. How can disposing of emails at a faster pace protect you when people are writing potentially damaging emails every day?

Risk versus Value

We didn’t have these problems when we had paper records. We also couldn’t analyze our data to find answers. Sometimes a written request for information would take two weeks (after it was delivered by postal service) to get to a person who could answer the question.

Storing offline doesn’t solve the problem. Information needs to be accessible to people. Records are being kept because the information might be needed. The question is, How do you balance risk against value?

The problem with information’s value is that you never know when it will matter. As better analytics come forward, the potential value of your older information grows. Past trends can be analyzed to predict future shifts. Algorithms can be developed to study past fraud cases to flag new potential fraud cases.

You have to have information to achieve those value building results.

Even neglecting the potential future value of information, and the historical value, there are laws and regulations that require some records to stay around for years. That is the reason records management exists. It isn’t to dispose of records. It is to preserve them as long as necessary. After that time has elapsed, then you are permitted to dispose of the records, not required.

Security Matters

The answer is security. It isn’t the airtight security that forces people to find ways to work around the “approved” tools. It is many layered:

  • Train staff to recognize when they are being targeted for information. Social engineering and phishing are just the tip of the iceberg. Training needs to be ongoing as the threats evolve.
  • Two factor authentication integrated with Single Sign On (SSO) helps limit authentication hacking.
  • System patching matters. The sooner an exploit in your system is patched, the sooner the window of opportunity for hackers vanishes.
  • Network monitoring to watch for unusual behavior in the network is critical. Something will get inside. You need to see it happening early so you can shut it down.
  • Encryption of data at rest actually matters. Two decades ago, it was inefficient and the belief was that if they got to the content you were already in trouble. While still true, it forces the hackers to hack the enterprise applications storing the information, which buys time and limits the value of the breach to the hackers.

There is a lot more to it. Security professionals can go on for hours about all the things that they can do to protect you. The items above are less intrusive to the people trying to get things done than many other options.

You have to let people work. People can work around any overly restricting security measure. When they do, your information ceases to be safe.

Just one change won’t make a difference. You have to have a comprehensive approach.

We Own It

There are a lot of things that we, both as individuals and organizations, can do about this. As people who use these “free” services, we can be more cognizant of what information we share and the settings that we select. As a society, we can push to punish those that misuse information or gain it through deceit. As part of an organization we can train our staff and deploy better security tools and processes.

One thing is clear, effective Information Governance includes security. You have to know where everything is and how it is secured. That locked file cabinet in your locked office in the secure building is no longer enough. Having it offsite in a secure storage facility with security cameras is no longer enough. Information has to be accessible to create value. Moving physical items like paper, optical disks, or other storage devices is clinging to 20th century mindsets in a 21st century world.

Keeping information analog or off-line will make your organization slow to respond. In case you haven’t noticed, the world is shifting quickly. Organizations have to adapt. Information professionals have to understand security basics so we can having meaningful and productive conversations with both security experts and the business that we serve.

Face it; hackers can get into any system. If they want to get into your system, they will. Invest where you can and you will at least keep the opportunistic hackers at bay.

Oh, and one last tip. Never boast about your security. Hackers love a good challenge.

Apple, Privacy, and Doing the Right Thing

Steve Jobs from a South Park episodeHere’s the deal. A Federal court has ordered Apple to comply with the FBI’s request to help break into the encrypted iPhone of one of the dead shooters from the San Bernadino shooting in California back in December. Apple publically refused in a well written letter that defended the importance of privacy and was signed by Tim Cook.

Who’s right?

It wouldn’t take a genius to determine that I might instinctively side with privacy and Tim Cook. I’m a big believer of ethical behavior in the tech world, the importance of firms protecting consumers from their own ignorance, and am proud that Tim Cook is a fellow Auburn grad.

But it isn’t that simple.

Continue reading

Box Makes a Huge Leap in Security

The Keymaster and Gatekeeper from GhostbustersI saw the Box’s announcement of their Enterprise Key Management (EKM) feature yesterday. This is a big jump forward for Box and puts them well in the front lines for cloud security among vendors with traction. Matt Weinberger had a good write-up about how Box’s EKM works complete with a Ghostbuster reference.

Chris Walker wrote about Box’s EKM announcement and quoted a tweet I made. The tweet follows but I encourage you to go read his post as it is a good one.

I wanted to expand on the quote up above in a comment on Chris’s post then I couldn’t stop typing. I decided to write it here.

Continue reading

Sony, Information Governance, and the Quest for Relevancy

Movie: The InterviewPeople have been writing for months about what could have prevented or lessened the impact the Sony hack. I’ve talked to many people in the information governance industry on this very topic. I’m a firm believer that even with proper information governance policies that were properly followed, the impact of the Sony hacks would be the same.

Of course, not everyone agrees. Lubor Ptacek asked if enterprise content management (ECM) could have prevented the hack. While his answer was not a definitive ‘Yes’, it did fall strongly on the side that it would have made a significant difference.

Lubor is a smart person so I’ve decided to visit his points in this post.  Before I start going point-by-point…

You Can’t Govern Stupid

Continue reading

Content Management Step 3, Control that Information

Auburn's Eagle FlyigAt this point, I’ve covered the first two Content Management steps towards achieving the proper Information Governance, knowing. The remaining steps are ones that the industry executes fairly well today, at least from a technical perspective. It just feels like a failure because we historically fail to Capture and Organize content properly.

The third step is Control. Control is something that most organizations have mastered, perhaps a little too well. If a piece of content gets into the system, locking it down is easy. The challenge here is not the technology, but the basic approach to controlling content.

Continue reading

Heartbleed is NOT an Open Source Issue

I was going to write a nice, calm post today when I came across Ralph Losey’s piece on the Heartbleed bug. It is a long piece and you can tell it was written by a lawyer. I have nothing against lawyers as two of my oldest and closest friends are lawyers. I’ve met and talked to Ralph before. He is a smart guy and general understands how technology can change the world. Ralph simply misses the point on Open Source.

Completely misses it.

This was a bug that was not caught before release, the same as happens in proprietary software. I know as I’ve released a few bugs in my day.

Continue reading

Have you Hired Snowden?

I have had a LOT of discussions with people over the past year about Edward Snowden, the NSA, and the impact on cloud adoption. My general response is that it would likely slow US adoption of the cloud by a few months and outside the US by a couple of years.

Well, it has be six months since this all started and I was starting to wonder about how this was panning out. Then Computerworld kindly published a piece stating that Chief Information Officers (CIOs) were sticking with the cloud despite the NSA.

While 20 CIOs are in no way a fair sample size, even if they are geographically dispersed, they did raise several excellent points.

Continue reading