News about cyberattacks against companies seems to be everywhere. Details about who was behind them, who was affected and what information was breached is commonplace in daily headlines today. And while most companies understand the need to better protect and secure their valuable electronic information, many are struggling to determine the best place to start.
In the first of a three-part series, I’m going to talk about where to begin, particularly for those companies that already have a Records Management program in place. In the second post, I’ll discuss why companies shouldn’t ignore the redundant, obsolete and trivial information (ROT), and finally, I’ll discuss how companies should handle the middle layer of information – those items that are not Records, but still provide business value and require management.
Where to Begin?
Can you think of examples of a company’s high-value electronic information that is sought after by cyber-thieves, but is not also the same information referenced in their Records Management program? Statistically speaking, there are very few instances of high-value information that isn’t also classified as a Record (in terms of its legal and regulatory retention requirements). That being said, most companies have at least a basic Records Management program in place, and therefore a Records Retention Schedule, which means those companies are already aware of what type of information they need to focus on securing.
To further build on this concept, let’s take a look at some excerpts from a hypothetical Records Retention Schedule, which could be found across any number of organizations:
These sample excerpts demonstrate some of the basic information that is commonly found on a Records Retention Schedule. In the Clinical Studies example, the original driver for the retention requirements was to provide validation of the clinical trial at a later date. However, the record also contains the PII of patients, namely children, which is clearly valuable information that presents great risks if not secured properly. Same goes for the sample containing I-9 information for employees – the government wants companies to retain this information so that they can audit companies and ensure that hired employees have the necessary citizenship status; however, information like this is a treasure trove for cyber-thieves.
Referring to the Trade Secrets example, it’s up to a company to determine how long they want to keep trade secrets, as there is no provision under federal law to register trade secrets. However, many companies justify maintaining these records for a longer period of time to ensure that they have necessary proof that they are the originators of an idea (should that idea be stolen and copied). This is a prime example of the type of information that a cyber-thief would want to steal, especially in highly competitive markets, such as pharma, biotech and high-tech. It is worth noting that all companies have trade secrets and the only way to receive protection by the courts is to properly protect them, and provide records containing proof that you protected them.
I’m sure everyone is aware of the recent Anthem security breach where the PII of children was stolen. It’s reasonable to assume that this information was (or should have been) identified on Anthem’s Records Retention Schedule, but the ultimate question is how this information was secured. Along these same lines, if you think about any of the recent front-page information security breaches, all of this information should have been identified on the company’s Records Retention Schedule. The main takeaway – if it’s on your Records Retention Schedule, it’s a great place for your Information Security group to begin when prioritizing security projects.
How Technology Can Help
There are technologies that provide invaluable insight into your information and can determine if it contains SSNs, credit card numbers, dates of birth and other key pieces of information that are especially desirable to cyber-thieves. These technologies can help you zero in on the exact locations of files that contain sensitive information, which is a great place to start when you begin planning your security efforts. I highly recommend that companies seek out a technology partner to perform this type of assessment on a subset of their unstructured information.
Summary: Use What You Already Know
Companies debating the costs and benefits of developing and implementing a mature Records Management program should realize that in addition to legal and regulatory requirements, there is the added benefit of to having a clear set of priority information for your Information Security group to focus on. And those who already have a mature, or at least a developing, Records Management program in place are already ahead of their competitors in identifying information that needs the highest level of security applied. With cyberattacks posing a very serious threat in the world we live in today, can you afford not to have this conversation with your Information Security team?