Cyber Security is one of the most important areas of focus for organisations today – and the criticality of guarding against Cyber attacks has never been greater. It is estimated that companies are now spending 6% of their budgets on Cyber Security. Unfortunately, there are regular headlines in the press advising us of “yet another” Cyber attack.
Many organisations view Cyber Security as solely a technical challenge. Cyber Security is not just a technical challenge, however, but a challenge which can, and should, be addressed as part of an organisation-wide Programme. The Programme should encompass work streams from IT and Information Governance (to include, Data Management, Records Management and Data Protection).
To protect against a Cyber attack, you have to know what kind of information and data you have, and where it is located. In a world of big data, maintaining and managing ever-increasing volumes of data is already a big challenge for organisations, and data is more often than not managed by a multitude of people and teams rather than handled centrally. But effectively securing this dispersed data is another league altogether.
An organisation then has to be able to answer 5 main categories of questions in order to be able to implement a secure information protection programme – the what, where, how, why and who of their company’s data.
- What data do you have that needs protecting?
- Where does this data sit? Where does it go? Where does it come from?
- How should this data be protected? Is the priority confidentiality, integrity or availability
- Why do you have to protect it? Is it valuable? How valuable?
- Who is responsible for the data? Who will own the controls that protect the data?
The above questions need input from records management professionals and business owners in order to be accurately answered. This is where cyber security and records management start to merge.
The What: What data do you have that needs protecting?
As already mentioned, in order to properly secure anything in this world you need to know what you are securing. This sounds obvious but you would be surprised how often consultants come across businesses that cannot answer this question.
If your business does not have an information asset register that clearly defines the exact data, including data volumes, that it stores and processes then this question has not been fully answered.
This question also has a flipside – in the event that your security controls are circumvented and your data is lost, you need to be able to say exactly what data you have lost and what impact this will have on your business. The answer to this question is imperative to providing this information.
The Where: Where does this data sit?
So now you know what data you need to protect, where does this data sit? Where has this data come from? Where does this data flow to? This is a data discovery exercise and requires input primarily from records management professionals.
Knowing where your data sits and flows to and from is important for two main reasons. The first reason is the obvious one – in order to protect something, you need to know where you need to put the controls. The second reason is so that you can ensure controls are provided throughout the whole of the data’s lifecycle. There is no point in encrypting a database at rest if you are going to send the data via an unsecured connection to a third party (yes, we have seen this happen).
The How: How should you protect your data?
One of the key concepts within cyber security and information protection is the CIA triangle. Cyber security controls have one objective – to protect the confidentiality, integrity and availability of your company’s data and information systems. This sounds easy, but often a compromise is required. Protecting the confidentiality of data usually involves putting in place controls such as encryption or strong access management controls; controls which by definition impact the availability of the data.
Therefore, before you decide to encrypt every single database on your company’s network and cause both severe network latency (data will become tediously slow to access) and access issues (if you give everyone the key to decrypt the data then is the data actually encrypted) you need to decide which of the three principles you want to prioritise. Records management professionals play a significant role here.
With a world dictated by regulation and with each business demanding different CIA requirements it takes a records management professional to properly define the levels of protection that the data requires for then an information security professional to provision the controls.
The Why: Why should you invest in protecting this data?
Protecting data costs money. In order to secure funding, you have to be able to provide the business with a reason to invest. Both records management and information protection professionals can help here – records management professionals are able to dissect and translate the complex regulatory requirements of data storage and processing into real business requirements and information security professionals are able to advise the business on the risks and impacts of not securing their data. The combination of both of these should give your business a real incentive to protect its data.
The Who: Who will be responsible for protecting the data?
Finally, we have the who. Once you have defined the data and levels of protection required, who will be responsible for ensuring that the controls are implemented? Who will be responsible for ensuring that the controls are maintained? Who will be responsible for monitoring the controls and reporting any issues that occur?
The above questions should be answered by every business in order to ensure that their records management and information security programmes are as comprehensive and secure as can be, and the questions require both input from records management professionals and cyber security professionals.