Clouds, in nature as in computing, are big, amorphous and hard to pin down. In this age of cloud computing and other vulnerabilities, how can companies best get a handle on their information risk? A new report aims to find out.
The report, “Information Risk: Managing digital assets in a new technology landscape” from The Economist Intelligence Unit, finds "information is now big, borderless and beyond the control of individual companies.” Clouds are only one contributor, complementing risks from collaboration, data sharing, supply chain integration and outsourcing.
The Central Role of Employees
While three-quarters of respondents to The Economist’s global survey of more than 340 executives contend that hardware and software can mitigate risks, the report points out that employees play a central role in creating — or in mitigating — vulnerabilities. Employee carelessness is one of the two most common risks, according to the report — the other being hackers themselves.
Only about one-quarter of surveyed companies report there is a company-wide awareness of information risk throughout their organization, with IT and finance departments being the unsurprising leaders in awareness.
The lack of awareness, training and preparedness also extends to the C suite, with only 23 percent of senior business leaders saying that they would know what to do in the event of a loss of information — even though half of reporting organizations suffered a data loss in the last two years.
Cloud-based storage and sharing providers can be both a boon to security, or they can contribute to the problem. Most large providers have greater security measures than their client companies, the report notes, but the downside of moving to the cloud is that off-the-radar company data now becomes part of a brand name, highly visible target.
There’s also the fact that much cloud storage is conducted at consumer level security, the back-ends of consumer-grade apps. The report quotes the chief information security officer at Brown University, who points out that if a researcher is using Evernote to store information about a Brown-based intellectual property, the organization’s risk profile is heightened.
Another galloping but risky trend is collaboration, a chain of sharing that leaves any organization vulnerable to the weakest link in what could be many links. Add in mobile, social media and BYOD, and it’s apparent that every one of the most active trends in computing substantially increases the risks.
The report cites several specific steps that can be taken by organizations to advance information risk management. High-profile cyber-attacks in the news, for instance, can be used to stimulate board action, which can include company-wide efforts to move beyond the perception that information risk belongs only to IT.
Regular, audience-appropriate training is advised, as is an assessment of the most business-critical data. Policies should be developed for regularly deleting or archiving unneeded data, and the most valuable data refreshed and assessed regularly, so that the organization is able to focus on what’s important. Supply chains, including outsourcing partners, need to be assessed and monitored closely, since they have access to vital data, and sharing security strategies with competitors could help share knowledge about what works in a particular field.
This thorough report reminds us that “information risk will never be eradicated, but it can be lessened to the extent that it matches the risk appetite of the organization.” Achieving this, it advises, requires information risk professionals who understand the business and are embedded throughout, as well as a common, reflexive attitude to minimize and stay aware of the risk.