Every function in the organization — from human resources to operations to marketing — is creating, acquiring, processing, storing and sharing more information than ever before. Innovations in technology coupled with unprecedented data volumes are pushing the limits of privacy and security well beyond current regulatory standards and legal requirements, making it easier for data to get into the wrong hands.
Security incidents are on the rise. The year 2014 will be bring to mind several high-profile breaches, such as Sony Pictures Entertainment, Home Depot and Target. While these attacks stole the headlines, thousands more took place around the world, resulting in the theft or loss of more than 1 billion data records, up 76% from 2013.
The threat is coming from inside the house
We know that organizations need to protect their most sensitive information from cyber criminals on the outside who are trying to get in, but there has been significant research indicating that it is the individuals operating inside the “trusted” network who are the biggest threat – whether with malicious intent or unintended, employees are the primary cause of data breaches.
PWC Turnaround and transformation in cybersecurity: Key findings from The Global State of Information Survey 2016
(n=10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security)
Why are employees cited as the biggest risk to information security?
• Inadequate access and permissions controls for shared repositories
• Lack of secure file sharing and transfer practices
So what can organizations do to prevent data loss and protect intellectual property while optimizing productivity and speed to market? Enterprise Information Management (EIM) are the strategies and tools that help organizations maximize the value of their information while minimizing its risks…and it should be a foundational component of your Information Security strategy. Here’s why:
Access and permissions – control who’s allowed to do what
Your first line of defense is to limit information access to only those employees whose job function requires it. The “wild west” of unfettered data access to shared repositories to the vast majority of your employees puts organizations at risk. Also, you must monitor those with permissions for proper information access behavior.
Effective EIM systems have complex access and permission structures to ensure users only have access to what they need and what they are permitted to see and do. From intellectual property to client information and personnel matters, EIM systems help ensure that content is retrievable and usable for those who need it and protected against unauthorized access and alteration from those who don’t.
Audit trails – know who did what and when
When an incident does occur or a suspected incident is being investigated, it’s critical to be able to understand the full history of activity that has taken place and reconstruct the content’s forensic trail.
EIM solutions offer customers the ability to view the full information lifecycle, all of the actions that have been performed on it, by whom and when, including:
• When and by whom an asset is accessed or viewed
• When it is downloaded or copied
• When it is deleted or moved
• When a version is added, viewed, edited
• When administrative settings or access has changed
Information audit capabilities are an additional layer designed to help you manage and assess threats around your information.
Secure information exchange – preventing data loss
Data leakage and loss from negligent file sharing and information collaboration practices is becoming just as significant a risk as data theft.
• 84% of employees are using personal email accounts to send sensitive files, 51.5% at least daily
• 52% expose company files or data by uploading to a non-secure, public cloud-based service
• 30% of employees have lost a USB drive containing confidential information
Comprehensive EIM solutions offer secure file sharing tools to safely exchange files and keep proprietary, confidential, and sensitive content safe. Capabilities you should be looking for include:
• Data encryption during file transfer and information exchanges – both inside and outside the enterprise — ensuring superior protection of sensitive data
• Notifications are date and time-stamped when messages are received and files are downloaded, allowing for easier tracking, auditing, and more efficient workflows
• Full control over file and data download availability
• Secure messaging that integrates directly with your existing email system to provide enhanced encryption, tracking, protection and control of email
• Secure and efficient exchange of very large files inside and outside the organization
• Compliance with privacy regulations and standards, such as HIPAA, HITECH Act and PCI-DSS
Records disposition – keeping volumes manageable
The more content you have, the more difficult it is to get your arms around it. Information security becomes more manageable and realistic when you reduce data volumes. If your organization stopped hoarding every piece of information it acquires or creates and adhered to compliant records disposition rules to archive or destroy records when retention schedules expire, this would make discovering, analyzing, and defending your sensitive information much easier.
Perhaps the most important component of EIM is effective records management. These capabilities help organizations secure information through legal and records holds and sound information lifecycle management, ensuring that information can’t be accessed or destroyed when doing so would be contradictory to company needs or regulatory obligations.
System of record – know where your information is and classify it
The biggest mistake companies make when it comes to information security is the lack of understanding of where their sensitive data resides because they have not set policies to systematically and routinely classify their data. Consequently, they don’t have controls in place to ensure that all information types are handled appropriately.
At the heart of EIM is a central secure repository for unstructured information. Here, content can have security classifications applied such as Top Secret, Secret, Confidential, Restricted, and Public. Without a formal data classification scheme, information that is considered highly valuable by third parties may not be viewed as such internally, thus may not be managed and secured accordingly. Without a tool to help identify where sensitive data is, an organization likely does not have a handle on it.
If you don’t know what you have, where it is, and why you have it, you can’t expect to apply the appropriate policies and controls to protect it.
EIM and information security – the balance between productivity and protection
High-profile data breaches should be a wake-up call to enterprises everywhere. According to IDC, by 2016, security will be a top three business priority for 70 per cent of CEOs of global enterprises.
Make EIM a core component of your Information Security Strategy. These solutions provide your employees with collaborative access to sensitive data and intellectual property within an approved access control model while preventing data loss and ensuring data privacy and client confidentiality to maintain regulatory compliance.