A report from Kaspersky Lab finds that a staggering 73% of companies had internal incidences last year, mostly caused by poor or inadequate training. This is certainly distressing news from an information governance perspective. Let's dig in to the numbers a little more and talk about some ways to combat this problem.
The Bad News
The top threats came from "software vulnerabilities and accidental actions by staff, including mistakenly leaking or sharing data". Unfortunately, mid-size or smaller businesses weren't spared from this threat as the report also indicates that 31% of cyberattacks are directed at organizations with less than 250 employees.
Overall, 42% of confidential data loss is by employees, the single largest cause. Cyber criminals are aware of this fact and it is often the first path they try to exploit when attempting to breach an organization. Most organizations are woefully under-prepared when it comes to training and this opens them up to a myriad of risk and compliance issues. In fact, 28% of employees surveyed admitted to uploading a sensitive document to a personal cloud system.
These issues have tangible impact. With 21% of companies stating that these internal threats in which they lost valuable data had an effect on their business. Additionally, 60% reported their ability to function was severely limited after a security breach.
Employee devices were also particularly exploited with 36% of enterprise businesses reporting they had mobile devices compromised. This problem has only increased as Bring Your Own Device (BYOD) programs have increased in popularity, often without the proper protocols in place.
Finally, companies are often required to bring in additional help following an incident. Accordingly, 87% of data loss incidents required some form of assistance including IT security consultants, lawyers and risk and compliance consultants.
How to Fight Back
The good news, however, is that there are some steps that can be taken to prevent these risk and compliance issues.
As we've discussed, the number one way to combat many of these problems is simple education. The responsibility for this training can often fall to IT or the risk and compliance team, perhaps even the records manager. The key to any sustainable education program is buy-in. Start by forming a task force with stakeholders from the appropriate business units. The next step is creating a program that your users will participate in willingly. Often "lunch and learns" are a great way to break up a day and encourage learning. Plus, everybody likes a free lunch!
Being able to track employee progress and ensuring all employees, especially new hires, participate is crucial. If your company doesn't already have a formal onboarding/education process, this is as good a reason as any to begin. Potentially offering small rewards to those who complete the objectives is also encouraged. Often, the "carrot" is much more effective than the "stick".
From an information governance standpoint, we can help our users and organization immensely by taking as much of this process as we can out of their hands. Automating records management through applied policies and retention schedules is a key tenant of an effective information governance and will help immensely in preventing risk and compliance issues.
With sensitive records being transferred or disposed automatically based on policies, employees will be unable to accidentally move, modify or destroy them. This will also increase productivity by decreasing redundant, obsolete and trivial (ROT) data and reduce the time searching for records.
The attitude of cybersecurity awareness must start at the top and permeate throughout the entire organization. Survey after survey has come out indicating that C-level executives in every industry are putting cybersecurity at the top of their priority list.
With this increase in data security, now is the perfect time to include the overall information governance strategy in the conversation. The potential risk and compliance issues along with the financial consequences cannot be overlooked and all parts of the business must work together to prevent them.
Getting the Complete Picture
As we've discussed in the past, the role of the information governance specialist is changing and that person must be able to understand the entire scope of the organization's relationship with its data.
This means that directors from every business unit must be involved in any information governance initiative. This proactive approach will prevent major roadblocks in the future and break down information silos that may be holding the business back.
Posted by Andrew Borgschulte