Data privacy and security has been one of the biggest issues in business and technology over the past decade or so. Since the 2006 Nationwide Building Society incident, when a stolen unencrypted laptop put at risk the personal data of 11 million savers, there has been a regular stream of data breaches.
You only have to turn on the news or go online and you will almost inevitably see reports of these breaches, ranging from retailers to major FS organisations, and often, government departments. Just last year, telecoms provider Talk Talk reported its third data breach in the previous twelve months, with more than 150,000 customers affected after a teenager exploited a weakness in Talk Talk’s website.
The type of information that is personally identifiable varies greatly from one organisation to the next. For some, it is staff records, and for others, it is customer information, transaction records, and even patient data. This is causing management at all levels to focus on their security and data privacy policies and practices, including increased use of data encryption. But yet still the breaches occur – what will it take for senior management to really get behind keeping their data secure?
A growing problem
The insight that can be gleaned from customer data grows ever more important in business. A recent AIIM report showed that thirty eight per cent of organisations surveyed are highly dependent on sensitive personal content to drive their business processes. Given this, one might think that organisations would place greater emphasis on protecting that data. Yet many organisations are struggling to address data privacy and security, with twenty five per cent of organisations not encrypting their most sensitive data.
Furthermore, twenty six per cent of the organisations surveyed suffered loss or exposure of customer data, with eighteen per cent losing employee data. As a consequence, ten per cent received action or fines from a regulator, twenty five per cent saw a disruption to business, and eighteen per cent experienced a loss of customer trust.
So this is a serious and growing problem. Yet attitudes and motivations toward protecting data are wide-ranging, as are the gaps resulting from increased volumes of content and where it is stored, such as laptops, mobile devices, and cloud. Many organisations lack a comprehensive information governance regime to deal appropriately with the changing requirements that technology and content sources introduce to an organisation.
Correct identification and classification
In order to appropriately protect sensitive information or, for that matter, information of any type, it must first be identified and classified correctly. Many organisations suffer from information chaos, aware that misallocated, redundant content resides within their repositories but lacking the resource to address the problem.
Accidental exposure of this content, especially if it involves employee or client data, is often raised as a concern. The key, and challenge, in all of this is to identify the information and content you have, correctly classify and tag it, remove any redundant, obsolete, and trivial (ROT) content, and add appropriate security controls to protect your information assets.
From there, the organisation should conduct periodic information audits, documenting personally identifiable information (PII) it holds on employees, customers, or citizens and whether it constitutes sensitive personal data. Ensure that information governance policies include security elements related to PII and present the appropriate use of laptops, USB sticks, and mobile devices in relation to PII. Something as simple as a privacy screen filter on a laptop could mean the difference between secure information, and future unauthorised access using that user’s credentials.
Getting data privacy on the board agenda
With twenty four per cent of respondents in the AIIM research stating that their senior managers do not take the risks of data privacy breaches seriously, getting the c-suite onside is clearly imperative to keeping data secure. This can be addressed by conducting a risk assessment related to PII and the impact should it be lost or exposed, which will help raise awareness among senior management as to the potential consequences of a breach.
Information security and data privacy are practice areas that should include the entire enterprise, not just information technology (IT) or a select part of the organisation. It is a team effort to ensure security is maintained. Businesses should be more pro-active in training and engaging their employees in security practices and the reporting of unusual activities related to PII.
Information is a corporate asset that must be protected by all. Data breaches can cause untold distress to those impacted and for the brand involved, it can destroy trust and reputation in one move. There is also the real threat of a financial impact, whether that’s via a fine from a regulator or customers taking their business elsewhere. The time is now for senior management to step up and to be proactive in designing an information security framework before it is too late.
Bob Larrivee, Vice President of Market Intelligence at AIIM