Outside hacking attacks grab headlines. Data breach concerns cause sleepless nights within the C-suite of many organizations. And ransomware strikes fear into companies without sound backup practices and true Information Governance programs. But a different (and sometimes more sinister) problem often goes undetected within the four walls of those same organizations' firewalls and barriers to entry. It's not radon. It's the issue of data compromise or "leakage," perpetrated by employees, to the tune of billions of dollars every year.
In Technological and Information Governance Approaches to Data Loss and Leakage Mitigation, a recent article published in Computer Science and Information Technology as part of the proceedings for the 12th International Conference on Cyber Warfare and Security (ICCWS 2017), the authors addressed this issue. In particular, the article examined the insider (and sometimes existential) threat employees pose when those employees simply access and utilize systems they need in order to do their jobs. Sadly, much like customer service jobs that would be perfect but for the customers, employees present a "conundrum where [those] employees are both the potential creators as well as the potential solution(s) to an insider threat." That is, when an employee single-mindedly pursues a business task or objective, he or she may employ a data transfer mechanism that operates as a "bit player[], used only for a one-off data transfer or movement according to a fleeting purpose," that also subverts the organization's data protection strategy in ways not contemplated by IT professionals, who are geared up to fight a battle against foreign agents and outside threat vectors.
To address the challenge of employees who act wrongly (intentionally or not), the article's authors present a set of Information Governance factors for C-suite strategists and their advisers to consider when examining IT data management as a whole.
- Understand the data you hold.
This factor implores organizations to construct a data map comprising IT assets as well as employee behaviors. The data map should incorporate the triumvirate of data in use, data in motion and data at rest, and it should be a living document, "evergreening" as the organization's IT and personnel change.
- Quantify your data's value.
The authors note that not all data is created equal, and outdated data can be worse than "worthless" – it may, in fact, add to risk (if breached or if outdated data is used incorrectly) without providing any value whatsoever.
- Define the "crown jewels" and determine what losing them would mean for business operations.
"Value" can be an abstract term; breaching a contract due to data loss or compromise may exact a specific penalty, but what might that also mean for the organization's ongoing or future operations?
- Determine ancillary data loss consequences for the organization and its stakeholders.
"Loss" means more than money, and reputations may be even less recoverable than dollars and cents.
- Balance loss mitigation strategies against ongoing operations and efficiencies.
A BYOD strategy might invigorate employees and save thousands of dollars in upfront IT costs. But what are the back-end costs to managing and deploying patches to a patchwork of devices and employees who are too busy to update their iPhones?
- Data leakage strategies must be "recursive" – plan, deploy, and plan again; learn from implementation and past history.
This final point is perhaps the article's most salient: Strategies, like data maps, are live and must be maintained. Unlike the support of a static corporate mission statement, individuals in charge of the data leakage strategy are actively considering new technologies, changes in IT practices, and employee behaviors and practices. It should not require a crisis, an ongoing leak or an incident's aftermath to kick-start an active approach. Instead, these factors should be considered as part of the checklist for onboarding IT systems, examining employee policies, and rolling out company directives that deal with data and related employee utilization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.