There is no doubt that we are moving to a point where it is becoming as important to prudently manage data as it is to regulate currency.
We have seen some of the enormous fines that have been levied against several multinationals for not being vigilant when it comes to information. For example, a global credit reporting company agreed to pay a whopping $575 million as part of a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, for not taking reasonable steps to secure its network. It is alleged that this failure led to a data breach that affected approximately 147 million people.
Another example involves a well-known airline that was slapped with a £20m fine for a significant data incident that occurred over several months in 2018, resulting in the loss of personal data of over 400,000 staff and customers including banking/payment information, names, and addresses.
The moral of these stories is that identifying these risks and proactively preventing them is the only way to shield your organization from the potential devastation of information mismanagement and its subsequent consequences.
So, let’s look at the 8 most significant information risks:
1 – Data Breach
A data breach takes place when an external malicious party finds a way through your defenses and manages to obtain your information. Most of the highly publicized cases of theft of customer data occur as a result of a data breach.
Data breaches have a variety of root causes, ranging from 3rd party exposure, configuration mistakes, and poor cyber hygiene, to cloud and mobile device vulnerabilities and the Internet of Things.
The truth is that these are things that are beyond just software, it all starts with our people. This means that it is critical that our employees, both those who are responsible from an administrative aspect, as well as the day-to-day users, should be educated in the proper way to handle and think about your data. This will spill over once you begin to use software.
2 – Infestation
Infestation takes place when your software is used to infiltrate your environment. Infestation may take the form of Trojan horses, worms, ransomware, crypto jacking or Botnets – whichever way the infiltration takes place, the commonality is that it is often human weakness that allows this to occur.
It is here that software comes into play because you can harness software solutions to protect your information. For example, a cloud backup can detect ransomware and help to remediate some of the situations you may find yourself in as a result of a lack of compliance or ineffective governance.
3 – Environmental and service attacks
Whether it is a corporate website, an online store, or an API that third parties or customers can use to expedite services, most modern-day organizations have internet exposure. There are a number of attacks that serve to compromise these publicly available services.
Man-in-the-cloud attacks, zero day attacks, injection attacks, distributed denial of service, the list is long and sinister. The difficulty of managing the complexity and wide-ranging nature of these attacks has pushed information security up the priority list of many organizations.
4 – Identity
A lot of the measures that have become commonplace in the way that we interact with systems, such as identifying ourselves with a password and then again on a device, have eliminated many of the issues related to identify risks.
But there are still systems that have not yet upgraded to cloud-based identity processes. This means that identity can still be compromised by guest access issues, misconfigured permissions, mismanaged identity lifecycles, and relaxed password restrictions.
5 – Visibility
As organizations become more complex, with hybrid environments, enablement of remote working, etc., it becomes increasingly difficult to get visibility in a single pane of glass. But it is essential to have a tool or interface that allows you to have a single view of trends that are unfolding to keep you ahead of the risks.
Often, there is not enough care given to creating a type of command center where IT professionals are able to see what is happening within all of their complex environments at a glance. These command centers should include secure monitoring, real-time threat analysis, machine learning models, or anomalous activity detection, in order to allow IT to engage, analyze threats and take the right remediation, rather than being reactive once the threat has already taken hold.
6 – Lack of storage structure
Although not always obvious, a lack of storage structure can play havoc with any organization. The days of file servers with plenty of drives and good backup has left us with a vast amount of data that is very difficult to mine and understand what type of information sits in what folder.
To limit exposure, organizations are having to change the way that they structure their storage. The risks that accompany chaotic storage include a lack of taxonomy, organically grown filesystems, an unstructured intranet, old file storage technologies, outdated, non-existent, or unenforced record schedules, and a limited or ineffective backup and archiving strategy.
7 – Lack of process governance
Even if you have taken the time and invested in structuring your storage to attain a well-constructed storage ecosystem, with good archiving systems and backups, you still need to think about governing the process as your information changes.
This governance spans touchpoints across the entire organization, including document lifecycle management, sharing access management, per-business unit processes, on-and-off-boarding processes, policy enforcement, and document classification.
8 – Lack of training
In a lot of cases, people are the weakest link when it comes to information risks. Although we spend so much time and money investing in technology, we are sometimes inclined to neglect the investment in appropriate training to support this technology.
Training your people to reduce the risk of information mismanagement should include adequate product training, rigorous cybersecurity training, device training, change management, informational management training and even supporting an entire culture shift.
In my next blog, I will detail some strategies to overcome and remediate these risks to safeguard your information.
Stay tuned …