Missing in action
In the movies, when the Mona Lisa is stolen, alarm bells ring and the empty frame on the wall makes it clear that something is missing. But in the real world, where information is perhaps the most valuable corporate asset, it can go missing or made vulnerable without anyone being the wiser.
Boards, especially risk committees, and through them, company executives, are ultimately responsible for ensuring a company's information is secure. Usually this is delegated to the CIO. King III made IT governance a board responsibility; King IV takes things a step further by treating information governance and technology governance as two distinct - though overlapping - areas.
One corollary of this separation, I believe, is that boards are forced to recognise that information exists in its own right, and requires a set of governance practices, namely those relating to the technology infrastructure.
Obviously, as noted, there is a considerable overlap because data is stored, transferred and processed on the corporate infrastructure for the most part. Thus, if the corporate system is secure, then the data is safe, right?
Only partly, I'm afraid, especially when one considers the question of insiders - a company's own employees.
These fall into two broad categories. On the one hand, there are those who are simply unaware of, or unwilling to, follow the security policies that every company has, usually hidden away in plain sight. These are the diligent souls who use an unsecured Dropbox to transfer audited financials prior to the release on the stock exchange, because it's the 'easiest' way to do it. Or those who copy files onto an unencrypted hard drive to take home so they can do some extra work on the weekend - even though the company provides them with a laptop. And those who use a private Gmail account to attach and send sensitive company information to a journalist who needs some background (Hillary Clinton's use of her private e-mail address for state e-mails falls squarely into this kind of unsecure behaviour).
Let's also not forget the idiot who watches porn on his company computer at lunchtime, effectively opening the system to some of the worst kids on the block - unfortunately, mom was right when she warned you not to play with the rough kids!
On the other hand, corrupted or corruptible employees may be consciously using their access rights to copy data for the purposes of selling it, or just embarrassing the company.
It's using big data to protect data.
None of these actions would trigger an alert on conventional ICT systems, yet they are potential data breaches for which the blissfully unaware board and executive team could, one day, be held responsible.
This is a real problem. My company has hard research that indicates one in 40 users mishandles information; that hardly any businesses encrypt information copied to external USB drives or their employees' hard drives; and a whopping 70% of companies have out-of-date versions of Java, anti-virus and Windows software. All of these put corporate information at risk.
So, what's to be done?
Part of the solution clearly lies in influencing employee behaviour, cultivating an ethical culture across the company and keeping security at the forefront. It is also essential to maintain accurate records of which areas of data individual employees need to access to do their work, and to ensure nobody has wider access than is needed. The latter is something that needs to be monitored continually.
But, technology also has a role to play; the right software can actually allow CIOs to monitor data-usage patterns, and analyse them for suspicious patterns. Really, it's using big data to protect data, which closes the circle nice and neatly. So, if information governance is something that falls into your job description, ask the company CIO these questions:
* Can you tell me what information was copied to USB drives in the past 24 or 48 hours across the company?
* Was the data copied to a secure and encrypted device?
* Which users made the copies?
* Do you know how many files were renamed in the last seven days?
* Which users placed data of any kind into a cloud-sharing service, such as Dropbox, in the last month?
* What is the total number of new applications installed across the company in the last 14 days? How many of these were approved by the IT department?
If the CIO can't answer these questions, then chances are this precious corporate information could be used unwisely by employees who are not security conscious, or it could be slowly and steadily copied for some nefarious purpose.
All of this is information that boards and risk committees need to know. Does yours?
John McLoughlin has been involved in leading technology solutions for over 15 years and is the founder and MD of the J2 Software group of companies. He is driven by a passion for information security and compliance-focused technology offerings. McLoughlin has consulted around ICT policies, enforcement, productivity improvement, cost reduction and data loss prevention to many organisations in South Africa and elsewhere on the African continent. Through his vision, J2 Software is a provider of globally leading technology solutions that fulfil real business needs and deliver competitive advantage to J2's customers.