Moving Information Governance to the Driver’s Seat to Accelerate Cyber Breach Response
- Cyber Breach
- 3 Mins
Information Governance often takes a back seat to other organizational initiatives. But why is this the case? The list of reasons is long and varied. Not knowing where to start or how to build strategic approaches to governing information are top contenders. It is important to understand how nuanced this concept truly is and how it is has shifted in recent years. Also consider what other initiatives may intertwine.
Harmonising information governance and cybersecurity is a great place to start that will have an immensely positive downstream effect. This can minimise business disruption and regulatory risk while also improving ROI. Information governance is often viewed as discretionary spend, so combining with cyber efforts will increase ROI and outweigh any unplanned emergency costs resulting from a breach.
Modern Day Information Governance
Information governance encompasses the policies, processes, and controls that enable organizations to manage their information assets effectively. Many layers are involved as these initiatives need to address legal, regulatory, and compliance requirements while aligning information with business objectives. Take a look at the IGRM model that was revised last year to encompass all the components that feed into a robust and effective information governance program.
This model illustrates modernised information governance. Priorities has shifted due to new tools for managing data, expanded use of AI for business processes, and ever-evolving legal and regulatory landscapes. Upon releasing this, the EDRM proclaimed: “Sound information governance is increasingly important in this information age, characterised by the proliferation of data, and the need for businesses to get the most value out of their data, while also complying with regulatory requirements, meeting litigation discovery demands, and protecting against security risks.” It is no surprise that security was emphasised, as clear information governance is critically important to limit the consequences that could result from a substantial data breach.
Cyber incidents happen daily. They threaten an organisation’s data management and retention capabilities, business operations, and client relationships. Significant liability can ensue after an attack, which has placed proactive breach planning as a top initiative for many. In IBM’s 2023 Cost of a Data Breach report, 51 percent of organizations said they plan to increase cybersecurity spending because of an internal breach. To bolster these efforts, information governance and cybersecurity need to intertwine.
Cloud-based information governance is trending in response to data privacy obligations, the need for tighter security, and ever-increasing amount of digital data. Being able to reduce breach risk by considering cybersecurity during cloud migration is an added benefit. Cyber insurance carriers are also imposing a higher level of scrutiny before writing a policy, so this is a way for organisations to illustrate strong security protocols.
As companies continue to move to the cloud and attempt to reduce spend on information technology, it is becoming more important to be creative in where investments are made across people, process and technology. Information governance is an area of opportunity to invest in to reduce the risk associated with cyber events.
Spend must also be thought of multidimensionally and holistically. Organisations must look beyond the cost to deploy and procure a solution. Increasing spend upfront in implementation and functionality can lead to reduced spend longer term by avoiding cyber events and minimising the impact and cost of those that do occur. Think about costs associated with ransomware events, cyber counsel, business disruption to brand value, and the inability to do business for a period of time. The corollary of reducing spend also increases ROI, as tools bought for IT and privacy purposes may be applicable to security.
An outside consultant can help mitigate the risk of cyber incidents by reducing the volume of data stored in a legally defensible manner. With stronger retention, organisation, and encryption policies, there is less data available to intercept or access in the event of a breach. This greatly accelerates response efforts as there is less to sort through. This also offers deeper knowledge of where sensitive information resides and if it can actually be accessed by those outside of the organisation.
Sometimes organisations already own technology that can help, but they are not taking advantage of the full potential. For example, in the Microsoft 365 environment there are several options available to better leverage an organization’s investment in this technology.
Some areas to explore related to information governance include:
- Data Classification: Consider implementing sensitivity labels, sensitive information types, and trainable classifiers to foster cybersecurity readiness.
- Data Lifecycle Management: Leverage M365 retention policies and labels to place the organisation in a better position to defensibly delete data and reduce risks associated with over retention.
- Records Management: There are file plan capabilities and label policies that allow organisations to build a comprehensive solution to manage business-critical data in compliance with regulations, laws, and unique records retention policies.
- Communication Compliance: Many organizations are faced with industry and government regulations requiring them to monitor and review a defined percentage of communications. This is to comply with industry regulations, reduce other areas of risk, and increase security. Leverage expertise in emerging technology such as Microsoft 365 to address these requirements and augment processes with staffing to manage overall workflow.
- Insider Risk Management: The single largest risk for data theft and leakage comes from internal staff, disgruntled workers, and employees looking to leverage corporate information at their next job. Most organisations are still taking a reactive and forensic approach to investigate insider risk. Predictive solutions become very cumbersome and expensive due to the volume of data that needs to be analysed to identify risk. There are solutions that allow companies to identify triggers, trends, and events that often lead to data theft – or at the very least minimise or mitigate the loss when the theft occurs.
- Information Protection and Data Loss Prevention: Many organisations are faced with industry and government regulations requiring them to monitor and prevent dissemination of data outside of the organisation. This includes HIPAA, Export Control, PCI, PII, and more. Managing and monitoring such data is of critical importance. Additionally, many organisations had to rush to cloud services during the onset of the pandemic to provide employees remote work access. Due to the expedited nature of migration, most concentrated initial efforts on providing connectivity and securing authentication. Now these organisations are refocusing their efforts on protecting data. Microsoft and other tools offer solutions that allow organisations to identify sensitive data, monitor it, and apply protective controls.
All of this can feed into cyber initiatives by allowing organisations to leverage the value in their data while effectively managing security and compliance. Now is the time to move information governance out of the back seat and make it a key driver for cyber initiatives.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.