By: Nate Latessa, VP of Corporate Services
Since 2003, October has been recognized as National Cyber Security Awareness month. It’s a collaboration between the US Department of Homeland Security and the National Cyber Security Alliance and intended to raise awareness for staying safe and secure online.
Cybersecurity month focuses on 5 main topics:
• Every digital user should know how to be safe and secure while using the internet.
• Data breaches & cybercrime don’t discriminate. Everyone is susceptible to becoming a victim.
• Cybercrime is a growing concern that has the potential to affect everyone if our country’s critical infrastructure falls victim.
• Technology is advancing at such a rapid pace that individuals are always connected.
• Cybersecurity plays a role in almost all aspects of our lives by keeping critical systems up and running
Cybersecurity awareness is important for organizations as well as individuals. Cybercriminals have taken advantage of the increase in remote work due to the pandemic and have attacked both technical and social vulnerabilities. We’ve seen an increase in fraud cases involving stimulus funds and Paycheck Protection Program loans in addition to phishing schemes and ransomware attacks, many which have halted operations.
The demand for cybersecurity experts far exceeds the supply. Forbes reports that “the supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased.” Businesses, law firms, and other organizations must make the best of whatever is available.
Monitoring, security software, and audits are valuable, but they aren’t the only ways to reduce risk. Look to your Information Governance program as a first step to bringing data under control and minimizing its exposure to attack.
Understanding information governance
Every organization that holds valuable data needs an information governance program. Information governance is the management of the availability, integrity, and security of an organization’s data. It incorporates standards and policies for how data is used, how it is protected, and who has access to it. It builds on relevant standards and regulations to make sure information isn’t lost, corrupted, or stolen.
Without a governance plan, data will find its way into places where it should not be. No one will be clearly responsible for it, and it will end up on systems that aren’t adequately protected.
Governance covers the entire information lifecycle, which includes how information is ingested, where and how it is stored, what forms of access are permitted, and how it is eventually archived or purged. It specifies where encryption is required.
Reducing the attack surface
In the absence of governance, ROT (redundant, obsolete, or trivial) data accumulates where no one is in charge. Managers don’t necessarily know where it’s stored or who can access it. In a recent InfoGov World study, a comprehensive legacy data clean up project is now the #1 project which IG Practitioners would like to undertake. Cleaning up legacy data is a very effective way to reduce risk without the assistance of a cybersecurity officer who is short supply. If a breach were to occur, bad actors can’t steal what you don’t have. Sensitive data should reside only where it’s needed. A sound governance policy avoids data silos, which force employees to improvise ways of getting information to where it’s needed.
A sound policy keeps critical data off at-risk systems. This includes phones and laptops unless the information is encrypted. It restricts the use of email for such data.
The principle of least privilege keeps risk levels down. Employees should have access only to the functionality and data that they need to perform their tasks. Administrative access needs to be highly restricted.
Migration to modern platforms
Older systems have more weaknesses. A decade-old system was created at a time when security was less urgent. Support for it is likely to be limited or even non-existent. At best, it probably doesn’t take advantage of the latest security technologies or defensible deletion capabilities.
Moving important data to an up-to-date platform is a simple way to improve security. A well-managed cloud system could be easier to run, more reliable, and more secure than an old on-premises system.
The cornerstone of an information governance strategy is data mapping, also known as data inventory. Data maps provide a single location for information about all the data sources in an organization. It describes what kind of information is held, where it is stored, how it is used, and with whom the data may be shared.
A data map allows for better risk assessment because it identifies what systems store personal or sensitive information thus needing the strongest protection. It also aids efforts to consolidate information and reduce redundancy.
Keeping current and complete data map used to be a difficult task, but technology platforms make it much easier as they automate periodic reviews of databases and other storage locations. An up-to-data data map provides rich rewards. Without such a process, unmanaged repositories become glaring vulnerabilities to cyber attack.
If you have valuables in your home, you can protect them by investing in an elaborate security system; but the first step is to make sure they aren’t lying around. You should keep them in a safe or a locked deposit box. Data management gives the same kind of protection to your digital assets. It reduces the chances that an attacker will come across valuable, poorly protected data. Contact us to talk about our information management consulting services or request a free data mapping demo today!