While many organisations have come a long way in relation to information security over the past decade, managing security risks associated with the storing and sharing of information is becoming more complex.
There are a number of questions organisations need to consider in relation to data. What data do they have? How much do they have? What are they using it for? Who has access to it? How long should they hold it for? Should they even hold it at all? It is vital that you keep what you are required to keep, but it is just as important to ensure you do not keep information that you don’t need to.
Historically it has been cheaper to destroy information as opposed to retaining it. However; this is now changing as technology advances and costs reduce. Many organisations are good at retaining and archiving information, but fewer are good at ensuring they do not retain information for too long or that isn’t required. This can be costly for a number of reasons, for example in relation to the legal disclosure process.
Disclosure is the phase in a lawsuit where each party can obtain evidence from the opposing party by means of access to all information in relation to the case.
If an organisation stores years and years of data this will need to be reviewed and examined by the lawyers. Regardless of whether anything meaningful is discovered, this process in itself can incur significant time and therefore costs.
Whilst this process is becoming more efficient through the use of technology to gather and analyse data, known as e-Disclosure, the lack of an information strategy will not make this process as efficient or effective as it could be.
Unless organisations have a clear understanding of what information they are processing, it becomes very difficult to assess the potential risks that may arise and as such impossible to devise an appropriate information management strategy.
Organisations are increasingly sharing electronic information with external parties such as clients, partners and suppliers. Email has become a replacement for the hand-written letter and is something organisations are familiar with, however there are newer technologies such as cloud computing and the use of social media that bring about new challenges for managing data.
These challenges are not necessarily because of technology or security issues, but often due to the lack of understanding or visibility of the provider’s controls.
Organisations must not become complacent in transmitting and storing data externally, for example in the cloud. This is similar to the use of any other service provider as part of an outsourcing arrangement and as such requires careful monitoring on an ongoing basis. It is critical to monitor what third parties are doing with your information, how they are securing the information, and how they are segregating your information from that of your potential competitors
We all too often see organisations being reactive to issues as they arise rather than proactive. Organisations appear to be better at assessing the risks of implementing new technologies but rarely consider the potential risks from an information management perspective.
Experience shows that when information management issues arise significant attention will be required by an organisation’s board members which in itself is a costly process. Interestingly, one in five FTSE companies have experienced issues in relation to information management and security issues, one such example reportedly resulted in a loss of £800m in revenue for the company. This sort of loss will certainly attract the focus of the most senior of employees and board members; therefore devising any suitable information management strategy should also obtain full attention from these senior representatives and importantly the Chief Information Officer.
Assessing the risks and implementing a strategy shouldn’t be viewed as a time-consuming burden just to cover the ‘what if’ scenario. This process should also be used as an opportunity for organisations to look for efficiencies in how they can better manager data and information, to either provide the innovative edge or use technology to reduce costs.
Even the smallest of organisations are handling increasing levels of sensitive data and failure to have a sufficient policy in place for dealing with information management can be very costly.
As we know well, in this current market place any potential increase in costs can have an impact on a company’s ability to continue in business. Similarly a loss of sensitive data can damage brands very quickly in the evermore connected world.
Take the necessary action now and be proactive in understanding the information your organisation is dealing with and what the potential risks are.