The critical confluence of information governance and security breaches

Protecting information assets may well be the most demanding challenge of our time. Even a cursory look at some of the many security breach victims identified in the past few months confirms that fact, as does acknowledgement of the burgeoning types of data loss:

♦ Data leaks—Data leaks occur when information is not properly protected or protected at all. Common examples include the dumping of data to servers that lack security features, which is also applicable to the source system. Recent data leaks include GOP voter information about nearly 200 million Americans and the similar exposure of account details of approximately 14 million Verizon customers.

♦ Hacking—Hacking entails intruders circumventing an organization’s cybersecurity measures to access information assets. Perhaps the most insidious form of data loss, hacking is predicated on identifying points of weakness in security models. Examples include the Equifax security breach compromising the data of nearly 150 million Americans and the U.S. Securities and Exchange Commission’s recent admission of a 2016 security breach.

♦ Exfiltration—Exfiltration entails the unsanctioned replication or transfer of information from a server. Often exfiltration implies disloyalty because it is an “inside job.” The significance of that type of data loss is suggested in the recent Paradise Papers, which exposed millions of records of offshore accounting activities in the public and private sector; the Panama Papers, another massive leak of documents exposing the offshore holdings of current and former world leaders; and Edward Snowden’s revelations.

According to Todd Wright, global product marketing, data management, at SAS, “Organizations must not forget that the GDPR (General Data Protection Regulation) is also very concerned with rogue or careless employees and the security breaches that come from them.”

Although the preceding list is by no means exhaustive, it hints at the varieties and indiscriminate nature of data breaches. More importantly, it indicates that security compromises are increasing in frequency, severity and regulatory repercussions. Many of the aforementioned breaches involved personally identifiable information about private citizens. New compliance mandates such as the GDPR penalize organizations a percentage of their earnings, which could result in hundreds of thousands or millions of dollars. An executive order was signed last spring to underpin the “cybersecurity of federal networks and critical infrastructure.” Meanwhile, new forms of attacks, which reportedly target CPUs rendering the majority of computers vulnerable, are constantly emerging.

The pandemic of data breaches highlights the connection between information governance and security. According to Danny Sandwell, erwin product marketing manager, governance creates the “policy, procedure and proper usage” of information upon which security measures are based. It devises the means of restricting access to information assets internally and externally for insiders and intruders. And, when implemented properly, it fortifies security where the data are stored.

Stan Christiaens, Collibra CTO, says, “It’s pretty foundational that you know where your data’s at, who owns it, what it means and what risks are classified to it as a foundation of being able to do good security.”