Information is everywhere in today's enterprise — and it's never been more important for organizations to manage it effectively.
Data security is crucial.
While cybersecurity organizations focus on preventing outside threats, companies must look inside and examine how their information management policies affect their valuable asset that is information.
Balancing Risks, Rewards
According to Gartner, by 2020 the greatest source of competitive advantage for 30 percent of organizations will come from the workforce’s ability to creatively exploit digital technology. “In a successful digital workplace, engaged employees are more willing to change roles and responsibilities and embrace new technology,” said Matt Cain, vice president and distinguished analyst at Gartner.
From an information management perspective, the digital workplace can seem like a minefield for compliance violations. This concern must be balanced with the reality that the modern digital workplace is here to stay — and a crucial way to attract talented employees.
In most organizations, information management policies are not a priority of end-users. Few of them have deep understanding or the policies or the expertise to apply them correctly.
But information is useless if it can't be found in a timely and efficient manner. Organizations need to have policies to ensure the data is organized and complete, as well as to address when data can be deleted.
Redundant, obsolete and trivial (ROT) data has a huge impact on productivity and occupies a large percentage of a company's data storage. A recent survey from AIIM found "up to 80 percent of electronically stored information is ROT."
A recent white paper from IDC, sponsored by Coveo and Lexalytics, reveals some interesting statistics. It found 90 percent of all digital information is unstructured content locked in a variety of formats, locations and applications and is made up of repositories that do not communicate with one another. Because of this, users are forced to use disparate systems. In fact:
- 61 percent regularly access four or more systems
- 15 percent access eleven or more systems
Searching for Information
This of course leads to time spent looking for the right data. Workers, on average, spend 36 percent of their day looking for and consolidating information. But 44 percent of the time, they can't find the information.
This lost productivity has a very real financial cost. Based on workers earning annual salaries of $80,000 and working an average workweek of 41.8 hours, the cost of time wasted searching and not finding data is $5,700 per worker per year, IDC estimates.
That means for an organization with 1,000 knowledge workers, $5.7 million is wasted annually.
Addressing Risks in the Digital Workplace
Organizations should assemble a team to address the risks in the digital workplace.
A good place to start may be your company's general counsel. Since many of these risks deal with regulations and compliance, the legal department will be particularly motivated to mitigate these issues. But it is also important to include the records team and of course a key stakeholder from the IT department.
Step Back and Assess
Once a team has been assembled, the first step is to ensure we have a complete view of all the places company data could be living. It is crucial to know what types of records are being stored, if any protection processes are in place as well as who has access to this data.
It is important to impress upon all employees the seriousness of information management as their cooperation will be necessary. The key here is to understand the true scope of the data and where it is moving, paying special attention to sensitive information.
Remember, completeness is more important than swiftness.
Create New Rules
Once the extent of the digital workplace data is determined, it is time to set the new rules and processes to address it. The key consideration here will be to balance stringency with usability. While protecting sensitive records is clearly the goal, overly complicated workflows will be the undoing of any information management project. This is why automation, whenever possible, is crucial.
Here are eight simple rules to address risk:
- Clearly establish ownership of compliance and data privacy
- Assess the process for any information shared outside the organization
- Identify any Personally Identifiable Information (PII) and create appropriate business processes that include IT, legal and the records management team
- Ensure policies are in place to meet federal, state, local and industry regulations
- PII must be limited not only by user but by location
- Clean up ROT data based on an approved retention schedule
- Use encryption techniques whenever possible
- The ability to have audit trails, logging and monitoring is essential to defensible disposition
Along with the rules will be the decision on which apps will be allowed in the digital workplace. If you find for example, that many employees are using Dropbox, it may make sense to allow this app to be used going forward under the control and supervision of the IT and legal departments.
Clearly Communicate the Plan
Of course, these rules will be useless if they are not properly communicated throughout the organization. The team should develop a plan for the announcement and subsequent follow-ups needed to ensure compliance.
At this stage, it would be pertinent to involve stakeholders from every department because they will help to inform their teams as well as spot any potential issues the new policies could produce. Since every department may have different processes when it comes to information, this involvement is critical. Additionally, having the message come from people within their own department will make it more relatable.
As we all well know, data breaches are becoming more common. In the introduction to their book Cybersecurity and Cyberwar: What Everyone Needs to Know, Peter W. Singer, director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution, and noted cyber expert Allan Friedman, state that 97 percent of Fortune 500 companies have been hacked — and the remaining 3 percent likely have, too, although they don't know it.
In today's world, it is not a question of "if" a breach of some sort will occur at a given organization but a "when."
A very public and embarrassing example of this was Sony Pictures, which you can read more about here. This was due to lax security around the data and poor policies in place, including but not limited to retention schedules and proper disposition.
Information management is essential to information security.
What Lies Ahead
Now that some of the potential benefits and risks of the growing digital workplace have been addressed, how can we ensure proper information management?
As mentioned, data is being created at exponentially increasing rates and that new data is being added to the existing ROT data clogging up a company's storage.
This means an organization needs to establish and overarching and complete data governance plan that involves every business unit. Automation is also a requirement given the amount of data that needs to be governed. This ensures less reliance on employees to not only take the time to classify records, but to do so correctly.
Additionally, integrating this program into existing workflows will drastically increase adherence and compliance.
By not forcing your users to greatly alter their daily activity, they are more likely to participate fully. Clear and simple direction on the process and expected outcomes of your data governance program will also keep everyone on the same page.
Locate Your Information
The business must understand where their data, especially those classified as records, is located and what the stages of those records' lifecycle look like. It is also important to know who is generating this data, who has access to it and how it is being transferred.
There must be a complete picture of what a record looks like throughout it's useful life and what is done with it after its usefulness has expired.
As a basic example, keeping personally identifiable information (PII) separate and locked down to only certain departments or employees is a simple step that must be taken for not only the potential harm to an individual but the liability the organization could face in the case of a breach.
As discussed, most data is unstructured within a typical organization. This is the root of the problems faced when attempting to retrieve the proper information within a digital workplace.
The first step is working with the department directors to establish which types of documents are critical and declared as records.
Once that has been established, these content types will need to be included in the overall file plan and the proper metadata must be included when these records are being declared. This not only eliminates confusion, it is the engine that allows automated software to correctly apply policies to records.
As for the legacy data your company currently has, the decision on how that should be handled is best done case-by-case. Sometimes, an entire obsolete repository or library can be disposed of without fear of lost business critical information. But unfortunately, it is rarely that simple.
Just Get Started
Regardless of where you are in your information management journey, the most important thing is to take that first step. Every day, more and more data is being created and the hole you're digging is getting deeper and deeper.