Lee Meyrick, Director of Information Management at Nuix, outlines four governance rules for minimising the potential for – and damage suffered from – data breaches
Data breaches are expensive for organisations and hugely profitable for those in the business of identity theft, credit card fraud and cyber-espionage. The costs of a single high-proﬁle data breach can be millions of dollars and take months to resolve even after being detected.
One of the main reasons organisations take so long to detect and remediate breaches is that they are unsure where their high-risk data is stored and can’t target those systems for investigation. Instead, they must take the time to collect data from a wide range of sources which may include employees’ ‘bring your own’ devices. Alternatively, they can collect from a random sample of devices, but they risk missing the compromised systems.
To further complicate the search, typically 80% of an organisation’s data is unstructured human-generated information including email and the contents of file shares. It often lives in proprietary formats such as email databases and archives that are difﬁcult to search and understand.
Meanwhile, the clock is ticking: data has gone missing, costs are building up and there is an ever-present risk that someone could exploit the same vulnerability again to do more damage.
Knowing this, information security, information governance and records management specialists must become ‘good shepherds’ of their data to reduce the costs and extent of cybersecurity breaches. In this model, data shepherds know where all the sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy and not due to be made into shepherd’s pie. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe.
Applying this model can have huge impact on how secure your organisation is from data breaches and how effectively you can respond to incidents – internal or external, deliberate or accidental. It also gives you a clearer understanding of what data is worth so you can concentrate on protecting the high-value data and easily calculate the return on your security investments.
Here are four steps to becoming a good shepherd:
- Defensibly delete data that has no business value
Organisations store large volumes of electronic detritus. That’s data that has no business value because it’s duplicated, trivial, no longer used or past its retention period. It may contain unknown business risks or confidential information. While most organisations have strict compliance rules around how long they must retain data, once the retention period is over, the risks and costs of keeping that data greatly outweigh any residual value. Deleting this low-value data, according to predeﬁned and legally sanctioned rules, reduces risks and also minimises the volume of data that could be compromised. This, in turn, reduces the scope of a post-breach investigation.
- Herd valuable data
Many organisations have intellectual property and company records stored inappropriately in ﬁle shares or email attachments. Records managers and end users alike struggle to ﬁnd the time to ensure records are always ﬁled correctly. Information governance technology can locate these records ‘in the wild’ and move them to controlled repositories with appropriate security, access controls and retention rules. This makes it much harder for anyone to gain unauthorised access, and makes them easier to gain use or value from.
- Enforce data security
Increasingly strict regulations around data privacy and ﬁnancial information make it imperative to hold personal, ﬁnancial and health details of your employees and customers in the strictest conﬁdence. But even when organisations set up controlled repositories for this information, it regularly escapes, whether through poor policies or employees not following the rules. By conducting regular sweeps of email, ﬁle shares and other unprotected systems, organisations can quickly locate and remediate unprotected private data. High-risk data should then be protected with appropriate encryption and access controls.
- Maintain appropriate access controls
Organisations should apply policies to ensure the only staff members who have access to important data are those who need it to do their jobs. It is also essential to regularly audit access controls on important systems and employees’ security proﬁles to ensure the policy theory matches reality.
A change of mind-set
Through these efforts organisations can minimise the opportunities for malicious or accidental breaches of important information. If you know where your data is, you can respond efﬁciently to breaches by ﬁrst targeting the high-risk storage locations. This in turn means you can close information security gaps quickly before they can be exploited again.