According to a Ponemon Institute report sponsored by IBM, the average total cost of a data breach grew from $3.8 million to $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information is up $154 to $158.
What does this signal for 2017?
Enterprise strategies related to information governance will remain top of mind for senior level executives. Investments in specific data loss prevention controls such as encryption and endpoint security solutions maybe a good place to start.
As the new year takes focus, the goal of setting up a strong information governance framework with well-defined roles and responsibilities is an essential practice for any organization with a data management system in place.
Information Governance (IG) goes beyond traditional records management by incorporating Legal, IT, Information Security, Privacy, Compliance, Risk Management, eDiscovery, Master Data Management, Archiving, and more to manage information at the enterprise level in order to support current and future business, legal, and regulatory requirements.
Information is a business asset that has both value and risk.
First you need to know what information your enterprise manages. Once you know what you have you can then focus on protecting the organization’s most important information since it’s impossible to secure all information equally.
- What do you absolutely need right now?
- What might be important down the line?
- What is garbage that will only stink worse the longer you retain it?
The ultimate goal of information governance is to help a business or any other type of organization achieve its objectives. There is no such thing as a one-size-fits-all information governance strategy, though. Each organization must determine what kind of strategy will work for its specific needs and goals.
If creating a solid information governance strategy is on your list of things to do this year, ask yourself a few questions.
Is it time to hire a CIGO?
A Chief Information Governance Officer (CIGO), a senior executive who oversees gaining value and reducing risks of information across an organization. A CIGO brings together the functional areas of IG, such as IT, Legal, Records and Information Management, Privacy, Information Security, and Compliance. These functions often intersect, for example, a born digital record (IT) could be under legal hold (Legal), contain Personally Identifiable Information (Privacy), and require access for only named users (Information Security).
The CIGO is the person who ensures the facets of IG across an enterprise are working together to achieve the common goal of gaining value from information while also balancing risk. If these IG facets are not working together it can lead to a data bloat, compliance risks, and a silo mentality where a lack of sharing and cooperation will lead to operational inefficiencies and waste time, money, and resources.
The CIGO also ensures that the company's IG policies and procedures comply with laws and industry regulations. Compliance also includes employee training to make sure that they follow and are knowledgeable of the procedures and policies laid out by the enterprise IG program. Plus, as the leader for information across an enterprise the CIGO defines standards for the access of business information by third parties (vendors, contractors). This includes developing processes to define scope of access and review/approve contract and policy language regarding information access.
How safe is our data?
Establishing an effective information governance strategy (or set of strategies) can help improve the safety, security, reliability, integrity, accessibility and quality of data. This is because an effective information governance strategy will involve a set of rules, responsibilities, standards and regulations, which will affect all types of data that flow through the organization thereafter.
The 2015 Data Breach Forecast by Experian found that employees were the main cause of about 60% of security incidents. Although this type of breach doesn’t make the news in the same way that outside hackers do, the threat of malicious insiders, unauthorized use of cloud services, systems, or negligence of employees not knowing or following policies already in place must be taken seriously. Many times these breaches are due to employees leaving passwords written down in plain view, having easily guessable passwords, systems with no access control, and human error - all of which can be avoided.
Do we really want to be a digitally transformed organization?
With the rapid growth of digital content, ever-changing compliance regulations, evolving rulings on legal e-discovery, and the persistence of a keep everything culture, few organizations are prepared to meet current threats head on. Enterprises are under extreme pressure to evolve their business models as part of an enterprise-wide digital transformation that includes automating manual processes and increasing collaborative capabilities—all while balancing the cost of compliance and control mechanisms.
Moving to the Cloud: 6 Risks Information Governance Strategy Assessments Manage
To remain competitive and compliant, organizations must face today's digital realities and make a determined effort to integrate information governance across the enterprise to build a functionally compliant organization. An effective governance program calculates risks around IT investments, and determines how much and which types of risk are acceptable to the enterprise. It positions IT risks within the overall enterprise risk management framework.
Preparing for GDPR
The need for information governance has never been greater. Organizations that manage Personally Identifiable Information (PII) are preparing for the General Data Protection Regulation (GDPR) at this time. GDPR replaces the EU Safe Harbor Directive and will be directly applicable in all EU Member States without the need for implementing national legislation.
GDPR becomes effective May 2018 and requires substantial changes to organizations’ information management practices for those conducting business activities in the EU. Many organizations manage privacy records across systems, have records from many countries commingled, stored as email attachments, and stored in collaboration sites with no real taxonomy or metadata scheme to identify privacy impacted records.