In-House Advice for Tackling Data Security Risks

June 15, 2017
Creating an information governance framework helps protect data in a rapidly evolving business landscape

Organizations are increasingly challenged to support the modern workplace environment – mobile phones, remote employees, cloud collaboration sites, social media, IM platforms and chatrooms – while keeping this data secure and easily retrievable for legal or regulatory needs. In response, counsel has become more involved in driving information governance initiatives and providing guidance on how to address data security challenges in the context of strong legal and compliance standards. They are beginning to consider how to create an information governance framework that protects data while staying adaptive to the rapidly evolving business landscape.

In a recent study into the security practices of Fortune 1000 companies, dozens of information security, risk, legal, IT and compliance executives were asked for their advice on tackling these challenges. Seven key themes emerged among the respondents, providing an insightful glimpse into how today’s most sophisticated in-house teams are navigating anti-fraud, data privacy, regulatory compliance, information governance and other risk management activities. Their recommendations included the following.

1)     Start with a Data Assessment: For many, the process of beginning an information governance program can be daunting. Figuring out where to begin, who should be involved, how to secure executive buy-in and how to keep momentum moving in the right direction can be overwhelming, and inhibit a team’s ability to get the project off the ground. To help answer these questions and focus the project, a third of the study’s respondents recommended starting with a data assessment. Experts pointed out that it is important to recognize that it is impossible to boil the ocean, and therefore teams need to figure out a clear roadmap with incremental steps that will enable prioritization of efforts and progress toward broader goals.

 2)     Engage Internal and External Experts: Because of the risks involved, data security is now an enterprise-wide endeavor and not just the concern of IT or information security teams. External data breach threats are rapidly evolving, and recent research from Forrester indicates that 35 percent of data breaches are caused (accidentally or intentionally) by internal employees. To help offset this, most study respondents recommended recruiting expert analysis to determine weaknesses and gaps, given that it can be difficult to do that internally. Subject matter experts can ensure programs are up-to-date and internal leaders can aid in company adoption of best practices.

3)     Prioritize Data Remediation: Across the board, respondents expressed frustration at runaway data volumes, with over 90 percent saying they do not know how much data they are managing. Keeping redundant, outdated or trivial (ROT) information can make it harder to find and protect the truly sensitive information under the company’s care. Respondents recommend creating or updating an organizational data map, especially as part of the initial assessment, and using data remediation to regularly cull out unimportant information. Less data means lower storage costs and the ability to focus on protective sensitive information.

 4)     Prepare for GDPR: The impending General Data Protection Regulation (GDPR) regulation that goes into effect in May of 2018 is top of mind for respondents with employees, customers or partners within Europe. This law will harmonize collective European data privacy laws to ensure that data transferred from Europe to the U.S. is appropriately handled and that personally identifiable information (PII) remains secure. Respondents recommended conducting an analysis of the law to understand how it will impact current processes and systems. Some suggested the development of a cross-functional task force that works with outside counsel to evaluate the different options. Obtaining an understanding of and acting in compliance with GDPR from the outset can help avoid costly reactive efforts and reputational risk.

5)     Use Migration to Microsoft Office 365 as an Opportunity: According to a recent Gartner survey, 54 percent of organizations will move to Office 365 in the next 1-3 years. The migration from one archive to another provides an opportunity for an organization to take stock of its email and data management practices and potentially update policies and remediate data for greater efficiency and security. Cloud solutions have created new information governance concerns, including expanded individual storage and retention challenges, but there is also better ability to search and manage the data, which is an advantage. From legal holds to data retention and security policies, respondents in the process of migrating agreed that it provides an opportunity to make additional process and policy improvements.

6)     Right-Size Your Solutions: Some organizations have faced major data breaches, regulatory investigations or large-scale litigation that warrants a complete audit and update of existing processes and technology. Other organizations may not have the same pressures, budget or appetite to make anything other than small changes to key processes. Study respondents repeatedly stressed the importance of fine-tuning any information governance and data security program to the particular needs of the organization. Knowing the company culture helps with figuring out how to make compliance a value-added part of employee activities, which will improve overall adoption and long-term enforcement.

7)     Take a Multi-Faceted Approach: Given the complexities of the corporate data environment, there isn’t a silver bullet technology, process or executive that can solve the immense problem of keeping data secure. That said, a broad range of actions are recommended to ensure that an organization’s people, processes, and technology are all working in alignment to address various internal and external threats. The adage “hackers only need to get it right once, whereas organizations have to get it right every time” is true, but implementing the right programs can help ensure better security. This includes regular employee training, using outside third parties to test the system, creating a tiered architecture to better secure sensitive information, and developing a data breach response plan.

Any of the practical approaches suggested by the study participants can better position corporations in securing their most sensitive data. Although there is no one-size-fits-all solution to preventing data breaches or ensuring regulatory compliance, these actionable recommendations provide some important steps in the right direction.

About the Author: Jake Frazier is a senior managing director at FTI Consulting, based in Houston. He heads the information governance and compliance practice in the technology segment. Frazier assists legal, records, information technology and information security departments identify, develop, evaluate and implement in-house electronic discovery and information governance processes, programs and solutions. These solutions are designed to produce the largest return on investment while simultaneously reducing risk.  Frazier is a founding member of the Electronic Discovery Reference Model and is also a member of the Sedona Conference.