Businesses need to get better at understanding their data, but they face many hurdles and challenges along the way. Here, we outline our recommendations to help organisations recognise the importance of their data – and ultimately achieve a more mature approach to information risk management.
Information security should be treated like an enterprise-wide, consistently applied risk management issue. This means nominating a system-wide owner – often the chief revenue officer or chief financial officer, if not a dedicated chief information security officer – as well as a ‘coalface’ owner at the operational level. It means accepting that your data is a strategic asset that should be risk-rated and incorporated into the risk register.
Having an enterprise-wide owner of information risk management also makes it easier to ensure that effective data categorisation or assessment are built into projects at the start.
There are several parts to security by design. One is ensuring that a range of functions are involved in the ongoing assessment and policy-setting process – not just the individual data owners.
Responsible data destruction reduces the likelihood of a data breach. “You can have a policy around transactional records and sales presentations and specify how long it is to be kept around,” says one of our respondents. “Then you need to take steps to get rid of the data. Things that are kept in email folders, or things that are not under any record hold, would automatically be purged and deleted.”
Sunil Chand of Grant Thornton Canada believes that destruction should be built into any agreed handling standards around data. “Your data’s usefulness will be dictated by business need, legislation, regulation, and whether you are going through litigation,” he says. “The best approach, and it’s a simple one, is to have a data destruction policy with accompanying manual or automated controls to enforce as standard unless you still need the information or will need it in the future.”
Getting your employees to better appreciate the reality of cyber threats means engaging them on a human level and avoiding technical jargon and ‘geek speak’. Build IT teams that can bridge the communications gap between business users and technical tools using layman’s terms.
Training plays an integral role in improving awareness and resilience among employees, especially in ensuring that people start to think about data risk as second nature. “Any hacker will tell you that the weakest point in a system is the people,” warns Grant Thornton’s Andrew Harbison. “So you need to focus on training, training, training”
The benefits of better data understanding extend far beyond effective cyber security. Companies can incentivise their employees to understand their data by pointing to the additional value that can be unlocked during the process.
In recognition that cyber risk is only going to become more pronounced as new technologies come on stream, most organisations accept that they need to get better at managing the threat. Cyber risk needs to be approached with an attitude of continuous improvement, and our strongly-held view is that this isn’t possible unless you also have a clear and dependable picture of the data you have.
Above all, data should be seen as a critical business asset – yet our research suggests that many organisations do not perceive it as such. They aren’t doing enough to understand what they have and how to protect it. Even when they do take steps to improve how they look after their data, they often do so with legacy tools and approaches that are not sufficient to measure, manage and put a price on non-physical risk.
And yet, a workable and effective approach is certainly within reach. First of all, organisations need to accept that their data is too big – and too important – to ignore. Beyond this, they need to be pragmatic. If you assume that someone, at some point, will find a way to hack into your systems, you will make sure that your most valuable data remains unassailable.
Ultimately this means understanding what your crown jewels are – depending on your industry, your risk profile and your business goals – and allocating specific controls. It isn’t a straightforward activity, or even a finite one, but it is an indispensable part of risk management in the digital era.
