Information Security - Project Consult

AIIM FOCUS ARTICLE Delivering the priorities and opinions of AIIM’s 193,000 community

Information Security: Checking the Locks

Sponsored by

FOCUS ARTICLE Delivering the priorities and opinions of AIIM’s 193,000 community


Introduction The current direction of the enterprise is digital transformation. Digitalization promotes an efficient information lifecycle that facilitates access to critical information—wherever and whenever it is needed—in a way that wouldn’t be possible with physical mediums. However, proactive measures need to be taken to mitigate the risk of information security breaches even for organizations who have “gone digital.” A security breach is a potential threat for all organizations regardless of size or industry. It is critical to assess your organization’s risk for a cyber-attack or a security breach, as well as its ability to protect and defend sensitive information. How prepared is your organization to deal with an information security breach?

Rising Risk Strikingly, a number of organizations are unprepared to deal with threats to information security. Weak points in security infrastructure, such as improperly managed data, ECM systems ungoverned by a standard or policy, and employee use of unsanctioned personal applications and devices expose vulnerabilities to security threats. What is important to note is that these threats do not always take shape as newsworthy cyber-attacks affecting the masses. Most often, security breaches aren’t attacks at all, and are as straightforward as forgetting a company laptop at a coffee shop, or inadvertently emailing client information to the wrong recipient. Regardless, data breaches can be a disaster. The fallout of a data breach extends beyond the quantifiable losses to the bottom line, such as exposing organizations to potential litigation and tarnish the reputation of their brand.

The State of Information Security at Companies Today In a recent AIIM survey titled “Information Security,” respondents were asked to comment on the number of security breaches experienced by their organizations over the past year. Notably, 38% experienced at least one breach of some type, and a staggering 24% experienced 2 or more breaches in a year’s time. (Figure 1) These results are telling since the aftershocks stemming from information security breaches can linger for a long time. Regulatory agencies may come knocking if your organization is found culpable to a security breach, and in turn, your organization may be liable for costly legal forfeitures and fines. In addition, a security breach could have a negative impact on customer trust and brand reputation, and by extension cause a drop-off in sales.

© AIIM 2016 www.aiim.org / © M-Files 2016 www.m-files.com

1

FOCUS ARTICLE Delivering the priorities and opinions of AIIM’s 193,000 community


Figure 1. In your opinion, how many times has your organization experienced an information security breach over the past 12 months?1 I don't know, 17%

0 breaches, 45%

1 or more breaches, 38%

Disconcertingly, it is commonly difficult to have a well-informed view about the overall state of information security throughout a company. This is because information security in the enterprise encompasses many moving parts, from unsupervised local file shares and ad hoc file sharing, to incongruent governance policies across departments and unauthorized cloud services and apps. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% We also must account for the broader definition of security breach that includes lost or stolen devices, unintentional information sharing, and other everyday security lapses. For these reasons, the Unauthorized disclosure of percentage of organizations that experienced a security breach is most likely higher. confidenal informaon

Vulnerabilities

Unauthorized access to systems or data by unauthorized staff When asked whether their organizations do an adequate job of protecting confidential and sensitive information, nearly one-third Unauthorized access to systems or of respondents (31%) feel their companies’ data protection is insufficient.1data by outsiders

To better understand the nature of data loss, respondents were asked to provide more detail on what types security breaches occurred. According to the findings, 47% of respondents said Fraudoforinformation the of informaon their organizations suffered unauthorized disclosure of confidential information of some sort. A portion of these respondents’ organizations experienced access to systems or data by unauthorized staff (37%), and 17% endured willful fraud or theft of information. Here, it is vital to note the trend: more Loss of intellectual property often data breaches occurred not as overt hacks, but were caused by internal sources. (Figure 2) I don't know


2

Information Security:

1 or more FOCUS ARTICLE breaches, 38%

Checking the Locks

Delivering the priorities and opinions of AIIM’s 193,000 community

Figure 2. What type(s) of information security breaches occurred?1 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Unauthorized disclosure of confidenal informaon Unauthorized access to systems or data by unauthorized staff Unauthorized access to systems or data by outsiders Fraud or the of informaon Loss of intellectual property I don't know

Challenges The growing frequency of data breaches and their ripple effect are driving vigilance regarding data security across the enterprise. A majority of respondents (59%) have recently seen their organizations implement security solutions, systems, or protocols in the past year. Worryingly, 26% have seen no new information security deployments in the past 12 months. A similar contrast is also seen regarding formally documented information security policies, which are only present in 64% of respondents’ companies--meaning 36% have no formalized security documentation.1 Clearly, many organizations have not invested in solutions and internal policies to better protect themselves against internal and external security threats.


3


FOCUS ARTICLE

Checking the Locks


Conclusion Information security risks must be managed to limit monetary losses, disruption of operations, legal forfeitures, and damages to reputation. While awareness to cyber-attacks and hacking are well understood, significant effort must be directed towards protecting against internal threats to information security. The key to ensuring information security begins with diagnosis. Ask yourself the following questions about your organization: n How does security in your organization measure up to best practices in information security? n Where are the zones (departments, software, devices) of highest risk for security breaches in your company? n Do employees receive adequate training about their role in maintaining information security and its importance in mitigating risk and threats to the company? n What holds security improvement projects back in your organization? Watch this space for our follow-up installment titled “Information Security: Guard against Disaster,” and learn proactive measures you can take to protect your organization against a security breach.

References 1

AIIM Survey– Information Security Survey www.aiim.org/research

About the author Thomas LaMonte is an AIIM Market Intelligence Researcher well versed and credentialed in the fields of ECM, ERM, and BPM with a heightened focus on solving the operational problems of today’s businesses. Thomas LaMonte Market Intelligence Researcher, AIIM

© 2016

© 2016

AIIM M-Files 1100 Wayne Avenue, Suite 1100 5050 Quorum Drive, Suite 600 Silver Spring, MD 20910 Dallas, Texas 75254 +1 301 587-8202 +1 972 516-4210 www.aiim.org www.m-files.com


4


FOCUS ARTICLE

Checking the Locks


About M-Files

M-Files enterprise information management solutions (EIM) improve and simplify how businesses manage documents and other information in order to become more productive, more efficient and stay compliant. M-Files eliminates information silos and provides quick and easy access to the right content from any core business system and device. M-Files achieves higher levels of user adoption resulting in faster ROI with a uniquely intuitive approach based on managing information by “what” it is versus “where” it’s stored. With flexible on-premise, cloud and hybrid deployment options, M-Files reduces demands on IT by enabling those closest to the business need to access and control content based on their requirements. Thousands of organizations in over 100 countries use M-Files as a single platform for managing their critical business information, including companies such as SAS, Elekta and NBC Universal. M-Files 5050 Quorum Drive Suite 600 Dallas, Texas 75254 972-516-4210 www.m-files.com

AIIM (www.aiim.org) is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants. AIIM runs a series of training programs, and provides industry certification, including the Certified Information Professional. http://www. aiim.org/Training AIIM 1100 Wayne Avenue, Suite 1100 Silver Spring, MD 20910 +1 301.587.8202 www.aiim.org

AIIM Europe Office 1, Broomhall Business Centre, Worcester, WR5 2NT, UK +44 (0)1905 727600 www.aiim.eu


5