Data security and information governance are critical aspects of enterprise operations that are on the minds of C-Suite leaders in all industries. Given the scope and impact of data breaches in recent years, it is clear that no organization is safe from potential cyber theft and intrusion into even the most secure computer networks and data repositories. Hackers have no mercy, and it’s easy to understand how the risks can keep executives awake at night. The question becomes: What are your plans for data security in 2020?
2019 was a tough year
More than 31 million patient records were exposed in the first half of 2019 alone, according to the Protenus Breach Barometer. Organizations at the top of the “hit list” include Quest Diagnostics, the New York-based clinical laboratory provider that experienced a breach on the web payment page of its billings collection vendor, exposing financial and medical information of 11.9 million patients. Georgia Tech was targeted by hackers as well, and the result was the exposure of names, addresses, Social Security numbers and birth dates of 1.3 million faculty, students and staff. Even the Federal Emergency Management Agency (FEMA) fell victim to a breach that exposed the personal information of 2.3 million disaster survivors.
The rising information governance challenge
The threat to information governance has never been so high. As a result, concern over data security has become increasingly intense — and organizations are putting their money where their mouth is. According to research conducted by AIIM International, 51% of organizations say that they are planning to spend “more” or “a lot more” on information governance, records management and digital preservation over the next 18-24 months. Organizations seek to make their compliance efforts more cost-effective and valuable by embracing technologies and approaches that automate governance and compliance.
These investment plans make sense, if for no other reason than the fact that the volume, velocity and variety of information organizations must deal with has, in many cases, outstripped the ability to effectively manage it. Organizations anticipate that the volume of information coming into their enterprise will more than quadruple in 2019. What’s more, over 60% of that information sprawl is unstructured. There is a growing recognition that traditional approaches are failing to address the rising tide of information, making the aspect of managing data security, access and compliance an increasingly pressing corporate challenge.
Could you get hacked?
Before you assume that data breaches are always happening to someone else, consider this: Experts tell us that the question is not if it will happen, but when. Should you be worried? Yes. Consider that the chances of being struck by lightning this year are about one in a million. Data security experts put the odds of your organization getting hacked this year as high as one in four. It will take the right kinds of tools and a thoughtful and strategic approach to information governance to rise to the challenge.
The cost of a breach
The cost of a data breach is huge. Ponemon estimates the average total cost of a single data breach at nearly $4 million. For most organizations, that calculation can certainly be much higher in terms of legal expense, information discovery, fines and penalties, not to mention the loss of goodwill in the market. The infamous 2013 data breach at Target, for example, cost the company $162 million initially, with the expense and impact continuing to this day. Indeed, as far as Wall Street is concerned, Target has yet to fully recover.
Attention on automation
In 2020, organizations will take bold steps to adopt automation techniques using artificial intelligence and machine learning to fight the data security battle. Organizations understand that significant spending is required in order to meet modern demands for information security, privacy and governance.
Attention will be tied to efforts to automate key information governance and security processes. When asked which areas are targeted for automation, organizations in the AIIM study ranked content analytics and semantics (57%), data recognition, extraction and standardization (67%), and metadata and taxonomy management (77%) as the top three drivers. Over half are spending in excess of $100K on compliance and governance; 19% are spending more than $500K.
What should you do today to ensure your organization is following best practices in data security? Here are five things you can do to take action.
1) Implement a formal approach.
The road to information security goes through corporate governance. Although information security is not solely a technical issue, it is often treated that way. If organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.
2) Have a plan and stick to it.
Even though the hack happened in 2017, the Federal Trade Commission is still investigating Equifax’s historic data breach, where hackers compromised sensitive data on nearly half of all U.S. consumers. Investigators discovered that the breach could have potentially been avoided had the firm been more proactive in employing the latest security patches to their systems. It is critically important, therefore, to establish and maintain a framework that provides assurance that your information security strategies are up-to-date, being followed, and are not allowed to get behind schedule.
3) Expose overlooked information.
In any organization there is information that is overlooked, never noticed or never thought about. It includes, among other things, information captured in an image archive or document management repository. This information can represent a treasure trove of opportunity for computer hackers who are looking to steal sensitive and private data. Social Security numbers, financial and medical account details, addresses and phone numbers are the types of information found on document images in your archive, and that information can translate into great prospects and profit for cyberthieves. It is important to identify this information, the risks it may present, and implement protocols to address the potential risk.
4) Follow the SANS20.
Security professionals use a framework to stay ahead of the rising rate of attacks called the “SANS 20” — a list of essential security controls that help define and guide strategies and solutions for effective cyber defense. The SANS Institute is an international consortium of U.S. and international security agencies and is the most trusted source for information security training and security certification in the world. The SANS20 have become an accepted standard for developing security controls and functions that are effective against the latest cyberthreats. It is a valuable checklist that you can also use to evaluate how your systems and strategies address major threats and vulnerabilities. Download the SANS 20 Critical Security Controls here.
5) Make it personal
While data security and information governance may seem like technology issues, the truth is that security often comes down to the humans involved. Cybercriminals are becoming increasingly ingenious and sophisticated. Attacks are both more frequent and more complex, and most often they are targeted at the people within an organization — from the basement to the boardroom.
The time has come to get serious about data privacy. Organizations of all sizes and from all industries must place the privacy and security of information on the front burner of strategic concerns. Take steps to review and prioritize the risks posed if information should be lost or stolen. Build intelligence into governance processes through automation, and leverage advanced techniques in AI and machine learning to bolster the process. Look for providers and partners that provide the right mix of experience, vision and advanced capabilities that leverage the full value of technology to battle cybertheft.
Kevin Craine is the managing director of Craine Communications Group. He is writer, podcaster and technology analyst, as well as the author of the book Designing a Document Strategy and a respected authority on document management and process improvement. He was named the No. 1 ECM Influencer to follow on Twitter.