Here we are in October already, a month known for tricks, treats and scary things lurking about waiting to frighten you. While it is a time for fun and social interactions, it is not a time you want to have a frightful awakening with regard to your business information. Security breaches, loss of information and an inability to find your information in support of litigation or audit are not the types of surprises you want.
You cannot hide
The fact is simply this: No business or employee is exempt from taking responsibility for properly managing their information assets. Every bit of information created or collected as part of business operations is considered a corporate asset. Intellectual property, customer information, employee information and correspondence are all examples of corporate information assets that need to be managed in accordance with corporate information security policies. In some industries, breaches and unauthorized access must be reported. For example, in the US, breaches of patient information must be reported to the US Department of Health and Human Services (HHS). At the time of writing this article, I found just under 1,000 listings of reported breaches that range from paper to lost or stolen removable media, to unauthorized server access.
Additionally, the Identity Theft Resource Center cites that more than 621 breaches have occurred in 2014 so far. They further indicate that more than 77 million records have been exposed. The breaches here range from private to public sector, covering a wide range of markets, like higher education, healthcare, government, financial and so on. The point being that regardless of what business you are in, your information and the infrastructure supporting your information management practices must be managed securely. What you do not want is the frightful awakening of finding your business listed as a breached organization.
The fact is simply this: No business or employee is exempt from taking responsibility for properly managing their information assets. Every bit of information created or collected as part of business operations is considered a corporate asset. Intellectual property, customer information, employee information and correspondence are all examples of corporate information assets that need to be managed in accordance with corporate information security policies. In some industries, breaches and unauthorized access must be reported. For example, in the US, breaches of patient information must be reported to the US Department of Health and Human Services (HHS). At the time of writing this article, I found just under 1,000 listings of reported breaches that range from paper to lost or stolen removable media, to unauthorized server access.
Additionally, the Identity Theft Resource Center cites that more than 621 breaches have occurred in 2014 so far. They further indicate that more than 77 million records have been exposed. The breaches here range from private to public sector, covering a wide range of markets, like higher education, healthcare, government, financial and so on. The point being that regardless of what business you are in, your information and the infrastructure supporting your information management practices must be managed securely. What you do not want is the frightful awakening of finding your business listed as a breached organization.
Every bit of information created or collected as part of business operations is considered a corporate asset.
What to think about
Consider the related compliance requirements around your information and your business. What are the governance policies related to how and where it is managed and recommended security measures, if they are available? Do you have policies in place regarding use of collaborative tools, like cloud applications, and their appropriate use with internal and external parties? Do you need encryption capabilities both at the repository and transit levels? Do you monitor your environment for inappropriate use and potential breaches, and what actions are taken if a suspected breach is indicated?
When it comes to security, how are your employees trained? Are they updated periodically to ensure that they understand the importance of information security to your organization and the security tools provided? For example, use of encryption technology to protect digital media and information is a part of the bigger picture. Many times, discussions of a confidential nature are conducted using smartphones in public places, like airports, where conversations can be overheard. During conferences, it is not unusual to overhear conversations about new product directions or even design flaws. All of this is corporate information and all of it should be managed properly. Mobile workers using tablets, laptops, etc. display information anytime, from anywhere, which includes the close quarters of an airplane. Do you have security screen filters attached that prevent prying eyes from seeing what they should not from the adjoining seat?
Consider the related compliance requirements around your information and your business. What are the governance policies related to how and where it is managed and recommended security measures, if they are available? Do you have policies in place regarding use of collaborative tools, like cloud applications, and their appropriate use with internal and external parties? Do you need encryption capabilities both at the repository and transit levels? Do you monitor your environment for inappropriate use and potential breaches, and what actions are taken if a suspected breach is indicated?
When it comes to security, how are your employees trained? Are they updated periodically to ensure that they understand the importance of information security to your organization and the security tools provided? For example, use of encryption technology to protect digital media and information is a part of the bigger picture. Many times, discussions of a confidential nature are conducted using smartphones in public places, like airports, where conversations can be overheard. During conferences, it is not unusual to overhear conversations about new product directions or even design flaws. All of this is corporate information and all of it should be managed properly. Mobile workers using tablets, laptops, etc. display information anytime, from anywhere, which includes the close quarters of an airplane. Do you have security screen filters attached that prevent prying eyes from seeing what they should not from the adjoining seat?
MORE: Information Governance: Organizing for the Organization
In my view
Corporate information security is the responsibility of every employee. The corporation is responsible to establish policies, provide the tools, train the employees and monitor the environment to ensure information is protected. Employees are responsible to ensure these policies are understood and adhered to at all times.
Security does not end at the repository or the building entrance and exit. Security must extend beyond the building and enterprise walls. It must include every employee and consider external parties who interact with your organization at every level. If you are dealing with a contractor or supplier, they too must adhere to your security policies. The point of a frightful awakening regarding information loss is too late. If you think that your policies, tools and employees provide the levels of security you require, that is great, but how do you know for sure? Monitor your information management environment and look for ways to improve. My guess is that you will find some.
Bob Larrivee is director of custom research at AIIM and an internationally recognized subject matter expert and thought leader with over 30 years of experience in the fields of information and process management. Follow him on Twitter @BobLarrivee.