Protect Assets That Matter Most to Help Avoid Events that Could Damage Brand, Compromise Customer Trust and Erode Shareholder Value.
Information is the lifeblood of most businesses and is often a critical factor in a company’s pursuit of its business goals. Access to this information, and ensuring its integrity, is increasingly essential to effectively conducting day-to-day business and generating growth and competitive advantage. Yet, as critical as information is to an organization, it also has real value to criminals and can cost an enterprise considerably if it is breached or misused.
Despite these risks, locking down sensitive information – which would essentially render it useless – isn’t the answer. Freely using and distributing information provides employees and partners with the information needed to do their jobs, enabling the development of more robust strategies, better decision making, increased innovation and greater efficiency. Thus, companies must determine how they can unlock the power of information to enable business growth while also protecting the information assets that matter most.
Balancing these seemingly conflicting objectives is a critical issue, particularly as computing becomes more distributed and interconnected. According to Accenture research, implementing data protection controls ranked as the highest priority for CIOs at large enterprises.
A balanced information protection approach should not only take into account how information is used by the enterprise, but also consider process, compliance and governance as being just as important as technology and, perhaps most important, it must not become a burden on the business.
Types of Corporate Assets
Most organizations generate and collect three types of sensitive information, each with different value and vulnerabilities to the enterprise.
Regulated information is the type of data most often thought of when the subject of information protection is raised. This includes personally identifiable information (PII) of individuals, such as social security numbers, bank and credit card numbers and medical records. A great deal of public outrage, lawsuits, fines and loss of brand trust can accompany the compromising of this information.
Confidential information may involve marketing plans, financial projections, sales reports and M&A discussions. Breaches on this information can range from public embarrassment to catastrophe (such as when the news of an acquisition is leaked).
Intellectual property (IP) is arguably the most critical type of information. Allowing “trade secrets,” like blueprints for a new product design or proprietary software code, to fall into the wrong hands could spell disaster for a company in terms of market share and shareholder value. Despite the corporate consequences and the fact that, according to the FBI, $600 billion worth of intellectual property is stolen every year in the U.S., companies tend to focus on regulated data while doing comparatively little to secure the IP that is critical to their business.
A Holistic Approach
For years, handling information security on a system-by-system basis worked fine. This changed, however, with the advent of mass networking and collaboration. Today, with information created anywhere and flowing virtually everywhere, such an approach no longer works. With the perfect storm of information that now exists in many forms, the complexity of most environments, and such trends as rapid data growth, mobile device use, cloud computing and highly distributed workforces, it’s no wonder the subject of information protection can keep CIOs awake at night.
To create a holistic and pragmatic program, the entire lifecycle of information must be taken into account: create, process, store, transmit and destroy. This recognizes that information may pass thorough multiple systems, processes and storage media over its lifetime and, as such, be subject to different risks. We recommended the following four-step approach:
1. Creating an information protection strategy. This should include provisions for both enabling business opportunities and mitigating risks. Two actions are key to developing a sound strategy. The first involves understanding the business and its specific needs for information protection. Each organization has unique requirements, including regulatory, financial or reputational. As such, the business value and risk of different types of sensitive information can often differ greatly from company to company. The second action concerns defining a set of objectives to deliver quick wins and address long-term goals. This begins with agreeing on achievable outcomes that will demonstrate clear progress and ROI. Most programs can be created around a particular business requirement while laying the foundation for broader use.
2. Locating and classifying the information that means the most. Any strategy is destined to fail unless an organization knows what it should protect and where that information lives. By locating and classifying the information that matters most, a company can ensure that its subsequent efforts will be directed to the information with the greatest value – and the greatest negative impact if it were to be compromised. Often, the sheer amount of data flowing through an organization will prevent it from effectively dealing with every type of sensitive information. This is why the company needs to define and classify different categories of information and limit scope to make its efforts more manageable. An impact analysis should be performed to identify the information with the greatest impact to strategic, tactical and operational objectives. As previously discussed, regulated information often gets the most attention (and the resources designed to protect it), when intellectual property is often the most critical. According to Accenture research, on average less than 10 percent of all enterprise information is classified in the most sensitive category.
3. Weaving information protection into the fabric of the organization. Our research found that nearly half of the companies that experience data breaches can point to employee error or negligence as the cause. Companies need to ensure that employees understand the importance of protecting information and have the tools needed to monitor progress over time. This involves clearly defining information roles and responsibilities and updating them on an ongoing basis; determining and communicating policies for sensitive types of information and establishing, monitoring and measuring the processes that enforce them; putting into effect a formalized training and awareness effort throughout the organization; and establishing information protection metrics and reporting that provide an up-to-the-minute snapshot of progress and status of potential problem areas.
4. Developing the necessary capabilities to protect their information assets. Organizations need to determine the technologies and processes that best support their information protection objectives. This means asking the following questions: Is the enterprise maximizing the business enablement of its information? Is it managing the risks appropriately? If not, what changes need to be made? Developing information protection capabilities should be a collaborative effort between IT and business organizations to integrate information concepts into long-term planning. A road map should be created that aligns short- and long-term protection business goals with the company’s overall IT plans. Conversely, a company should not develop information protection capabilities in a vacuum. Some organizations have found that benchmarking their information protection capabilities against their industry peers can help them better understand their current and target maturity and clearly articulate this to stakeholders.
The pieces are in place, as information protection tools, practices and strategies have evolved over time, offering the potential to help companies manage the protection of their information and maximize its benefits. Those companies that adopt sophisticated approaches to information protection in a holistic manner will be well positioned to realize the power of their digital assets, while at the same time avoiding those events that could damage brand, compromise customer trust and erode shareholder value.