The Impact of Information Governance on Cybersecurity
One of the biggest paradoxes I’ve seen in the world where security and governance cross is that somehow the cybercriminals seem to know more about your exploitable content than you do. True security requires organizations to understand what data they have to protect. Hackers know exactly what they’re after, but the fact is many businesses have no idea what data they’ve got.
Ignorance isn't bliss. If you don’t know what data you have, and you suffer a breach as a result, this poses a huge competitive and reputational risk. On top of that, regulations like the EU General Data Protection Regulation (GDPR) now attach penalties of up to €20 million or 4% global revenue penalty for the poor data privacy that breaches often reveal.
When it comes to understanding your data, knowledge is power, and these types of "unknown unknowns" are serious liabilities. No matter what level you're at in your organization, you need to answer the same question: "How can I effectively manage or protect my information if I don't know what I have?"
Where Are Your Crown Jewels—And Your Data Skeletons?
It takes a long time for most organizations to detect data breaches—often hundreds of days. That means most attackers have several months to rummage around in your network before you discover them. Usually they don’t need it; attackers generally do research about your organization before they break in, ensuring they get what they came for fast.
If you suddenly found yourself with administrator access to a large organization, it wouldn’t be practical to randomly browse around looking for something important. Attackers know they will be caught eventually, so they will likely develop their own strategy toward attacking targets, prioritizing:
- External facing applications
- Shared drives focused on financial activities
- Shared drives focused on marketing activities around new customers
- Human resources applications.
They tend not to bother with:
- Shared drives focused on storing company photos
- Social media applications
- Common shares containing “administrivia.”
Because they are forced to prioritize their efforts, attackers have a very clear mandate to understand where the most valuable information resides. You need to apply the same level of rigor to understanding your data map and protecting your crown jewels in order to stymie (or at least more quickly detect) the activities of attackers.
Remediating the Risk
Nuix Data Finder for information governance can help you understand your data (and your risk) by conducting a targeted audit of your systems. Mapping your data’s contents and patterns offers a broad view of the challenges and opportunities you will face when it comes to the people, process, and technology efforts necessary for transformation.
In order to successfully complete this journey, you will need execute your technology strategy effectively on several points.
Understand Where Your Valuable yet Unsecured Data Resides
For most cybersecurity solutions, the initial questions are about what the organization considers to be its crown jewels. However, there can be a gap between what people inside the organization think and what the actual data suggests. For most companies, the crown jewels often include any stores or even individual instances of sensitive, personal data—anything that can be used to directly or indirectly identify an individual.
Inventory your data sources: Understand your network shares, SharePoint sites, email systems, and cloud storage to see what requires the most security, and what you don’t need to stay up at night worrying about.
Eliminate Content with No Business Value
A good records management or targeted cleanup process will do wonders to get rid of content that has little value but a lot of potential cost. If the goal is risk reduction, eliminating just the large-volume, short-retention-period data will have a big impact on storage costs and help eliminate unnecessary stuff, which shrinks your risk profile.
Improve Processes to Eliminate Risky Behavior
“How did all that private data get placed on an unprotected shared drive?”
Questions like this are common. Do the investigative work to see if it was a one-time event or if it’s happening regularly as part of a process. If it’s a trend, you can minimize future problems by fixing risky processes and shrinking the gaps in your security model.
Employees will often do what is easiest for them to perform their jobs effectively, not securely. Make it as easy as possible for them to put data in a secure location rather than an unsecure one.
Focus your Searching Efforts
Using a targeted tool like Nuix Data Finder lets you find private data much faster than traditional indexing tools because it only looks for specific data elements (like credit card numbers or employee IDs) rather than trying to account for everything. If your goal is strictly to find and quantify your crown jewels, this approach can save you years.
If you need a broader or more iterative solution, Nuix Data Finder works within Nuix Workstation.
Design Systems and Processes with Governance, Retention, and Security in Mind
Your information governance committee is there for a reason. Each of the traditional information governance perspectives (records and information management, compliance, information security, enterprise content management, IT, and business) has a specific reason for saying what you need to protect, why you should protect it, and how long you should keep it. The committee can give all these perspectives due consideration and guide the design of the organization’s systems and processes.
Benefits to the Business
Why should hackers know more than you do? This information asymmetry is a direct threat to your business. Cybersecurity threats are a common, expected, and unfortunate part of doing business. Not knowing what’s in your data becomes as dangerous as leaving it unsecured in the first place.
With potentially heavy fines, privacy regulations such as the CCPA or GDPR means being complacent about data assessment now exposes your business serious fiscal and reputational threats. Saying “We didn’t know we had that data” has never been an acceptable answer. Now, the consequences are even more severe.