Data security: not just an IT issue
What comes to mind when you hear the term ‘data security’? For a lot of people, it conjures images of malevolent hackers: high-tech criminals stealing sensitive information for profit. And there’s some truth to that.
In February, the Office of the Australian Information Commissioner released the Notifiable Data Breaches Report: July-December 2021. Of the 464 notifiable incidents that occurred over the six-month period, 55% were the result of malicious or criminal attacks.
Some industries are more at risk than others: healthcare, finance, legal, accounting and management services, personal services, education, and insurance remain attractive targets.
But hacking isn’t the major threat – it only accounted for around 3% of reported data breaches. Ransomware and phishing were more prevalent, responsible for 8.5% and 12% respectively. Nearly a quarter of data thefts were achieved using compromised credentials obtained through phishing, brute force attacks or other methods.
And the threats aren’t just coming from outside organisations. In fact, 41% of data breaches were directly caused by human error, including:
- Personal information sent to the wrong recipient – email (17.5% of total breaches)
- Unauthorised disclosure – unintended release or publication (8.5%)
- Loss of paperwork/data storage device (3%)
- Unauthorised disclosure – failure to redact (3%)
It could be tempting to dismiss data security as an IT issue, but it’s not the systems that are the weak point – it’s the people. The numbers show it’s staff that put our data at risk, whether it’s by inadvertently installing ransomware, being duped by phishing scams, or through simple errors in the course of their work.
Wherever there’s humans, there’s human error: corporate policies and procedures can never completely safeguard against it. So, as information professionals, it’s wise to plan for breaches in terms of ‘when’ rather than ‘if’.
An information asset register is crucial to identifying and managing data security risks and can inform the security response.
To protect what you have, you need to know what you have
At its core, an information asset register is an inventory that details what information and data is being held, where it’s stored, and who the owners and users are.
High-value or high-risk information can be identified, helping the organisation to meet its data protection obligations.
Not all information is created equal
Different types of information carry different types of business risk. By identifying the specific risks associated with specific information assets, the organisation can prioritise its security efforts and resource them accordingly.
This can be recorded in an information asset register, where it can be referred to quickly and easily, e.g.:
- Intellectual property – competitive risk, financial risk
- Personal and sensitive information – compliance risk, reputational risk
- Vital records – operational risk
Know and meet your obligations
Information assets can also be mapped to governing legislation, regulations and codes, making it easier to know and meet data protection obligations.
And maintaining an information asset register isn’t just useful – it’s mandatory in many jurisdictions, including Australia, New Zealand, South Africa, the United Kingdom and Europe.
Even when it’s not a requirement, it’s good business practice for any organisation that holds personally identifiable information, privacy protected information, or intellectual property.
The best defence is a good offence
Cybercrime is on the rise, so ask yourself: does my organisation have appropriate controls in place?
It’s time to review and reassess your information asset register to ensure it’s adequately designed and maintained.
Don’t have an information asset register, or is your existing one falling short? Synercon can help.