Just Patch and Pray? Information Security Requires More

Cybersecurity ranks high on the list of things that keep C-Suiters up at night.  And with good reason.  Information is a critical, and sometimes most valuable, asset of modern enterprises.  

Today’s companies are spending more each year on improved perimeter defenses, and that’s a good thing, but it’s not enough. The next question is: are companies sufficiently focused on the role of Information Governance (IG) in improving their cybersecurity profile?  

IG is not simply a new name for records management.  IG represents an enterprise-wide commitment to appropriately govern information throughout its entire lifecycle, from creation or collection through ultimate disposition. Good IG maximizes the value of information while also minimizing its risks.  

Safeguarding information is a key component of IG.  And fortunately, easy to implement IG solutions can address some of the most common causes of security incidents.  Here are a few examples.   Create & Enforce a Records Retention Policy

As the front-end costs of data storage continue to decline, some companies have adopted a “keep everything” strategy.  Putting aside the legal and regulatory issues this can create, a major problem with this approach is that it ignores the unsustainable back-end costs of perpetually storing and securing an exponentially growing amount of data.  The more data a company has, the more it has to secure, which inevitably creates tremendous burdens for information security personnel.  These back-end costs can soar even more in the event of a breach.  Costs and risks can be reduced substantially by implementing and enforcing a legally defensible records retention policy. 

Control Removable Media

The storage capacity of removal media is a real asset in this age of mobile workforces, but it also creates tremendous risks.  All too often, innocent but negligent employees misplace USB drives loaded with confidential corporate data.  Dishonest or malicious employees can easily slip a thumb drive containing stolen data into their pocket and walk out the door.  Companies should consider disabling USB ports and prohibiting downloads.  If that’s not feasible, they should implement clear policies governing what data can be downloaded and if it should be encrypted.  

Manage Mobile Devices

Mobile workforces combined with the Bring Your Own Device trend creates serious security risks. A good Mobile Device Management (MDM) tool allows companies to inventory, track, remotely manage, restore, backup, and — if necessary — lock and wipe, devices used by corporate employees.  The demands of the modern workforce make MDM a key IG imperative. 

Protect the Crown Jewels

Every company needs to identify, locate, and limit access to its most important information and ensure that it is adequately safeguarded.  A fundamental issue to consider is whether this data needs to be online — and susceptible to a cyber attack — in the first instance.  Each company’s situation will be unique, and implementation of an appropriate governance scheme tailored to the company’s specific needs should be a priority.    

Awareness and Training

Every IG program should focus on training and ensuring that each employee appreciates the value of corporate data as well as their role in safeguarding it. Statistics continue to show that negligent and non-compliant employees are at the root of many information security incidents, and hackers have escalated their efforts to exploit the risk of employee error with increasingly sophisticated phishing and social engineering schemes.  Internal training efforts to increase awareness of these risks and improve compliance are vital.  Those efforts can be supplemented with outside training programs if desired.   

Final Thoughts

Strong perimeter security combined with solid IG practices can help companies achieve their cybersecurity goals.  And a few extra prayers can’t hurt either.


Thank you for reading this post. I write frequently about information-related issues, including privacy, litigation, governance and cyber insurance. If you’re interested in these areas, please click “Follow” and feel free to send me a LinkedIn invitation, connect on Twitter at @Judy_Selby, and check out my website http://inforisklaw.com/.

Arrange a ConversationĀ 


Article by channel:

Read more articles tagged: Featured