Organizations significantly invest in protecting networks, but are they doing enough to protect their data and records?
Literally almost every day there are announcements about significant data breaches, the most recent being the current WikiLeaks episode. For years organizations have invested more and more in technology to protect their networks (both externally and internally) as well as for spam protection. Of course this is important and is the right thing to do. You certainly want to keep people from being able to access and manipulate your network; however there is a chicken and egg syndrome here. In most cases, the reason internal or external people want to breach the network is to access important data/records. So it makes sense to put as much focus on protecting the actual data/records as on protecting your network access.
The reality is that no matter how much you invest in protecting your network there is still significant risk that the network can be breached and critical data/records compromised. Also, through daily business processes and exchange of information there is constant access to important data/records inside and outside of network access by your employees and partners. So the fact of the matter is, unless your focus is on network access and data/records protection, you are very vulnerable to being breached from outside parties, employees, or partners whether it be maliciously, human error, or process weaknesses.
Obviously, this is a very complex issue that requires a multi-dimensional approach that focuses on people, process, and technology. It also requires organizations applying the appropriate balance to protect the networks and the data/records.
So what should organizations do? No matter the size or type of organization it starts with the “Tone at the Top”. The Board, Founders/Investors, Officers, and Senior Management needs to develop a sustainable Control Conscious Corporate Culture (4Cs)™ committed to protecting their most important asset, their mission critical data/records and develop a Data Governance Plan that assures success.
From a people perspective it is important to review your recruiting, succession, responsibilities, performance management, training programs, and partner management to assure that you have created the right culture and capabilities to have sustainable success.
From a process perspective the leaders of the organization should then start with assessing the data/records identifying, classifying, and prioritizing the value of all of their data/records. From there it is important to do a risk assessment and Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis both on your network security and your data/records security looking consistently at people, process, and technology.
From a technology perspective your organization certainly needs to evaluate and deploy the right network and spam protection. However, there should be focus on securing data/records on the network, in transit (email, social media, collaboration tools) and on any type of device (desktop, laptop, mobile, printer, copier, USB etc.) with technology that applies “persistent policy security” requiring the data/records that your organization determined to be mission critical or sensitive to “call home” each time it is opened. The policy also allows protection from unauthorized transporting, copying, printing etc. and finally allows you to retract that information when appropriate.
In closing, this may look to be a very complex and restrictive approach. However, if designed based on size and type of company and focusing on the important data/records, it is the appropriate thing to do to protect your organization from financial, brand and customer relations damage, ultimately making your organization more secure, efficient, scalable and valuable.