In the wake of several high profile security breaches over the past few years, ... authentication, and tokens, as well a
AIIM FOCUS ARTICLE Delivering the priorities and opinions of AIIM’s 193,000 community
Information Security: Staying Vigilant
Sponsored by
Information Security:
FOCUS ARTICLE
Staying Vigilant
Delivering the priorities and opinions of AIIM’s 193,000 community
Introduction In the wake of several high profile security breaches over the past few years, information security has rocketed to the top of enterprise to-do-lists. Risk and liability drive efforts to ramp up protection in an attempt to avoid consequences from a security breach. These consequences include lost revenue, critical files ending up in the wrong hands and intangibles like damages to brand, lost customer trust, or lowered reputation. Companies across the globe are beginning to realize the importance of securing their information and ensuring that data assets are managed and shared in an efficient, sensible, and secure manner. In this follow-up article to our two part series on information security, we explore proactive measures organizations have taken, and should be taking, in efforts to shield critical information from security breaches.
Information Insecurity As learned in Part 1 – Information Security Checking the Locks, one-third of respondents polled in a recent AIIM survey, titled “Information Security,” find their organization’s information security methods to be insufficient to deal with modern information security threats. A sense of information insecurity is present in a number of workplaces, and users are unsure of what course of action to take in efforts to abate the countdown to a data disaster; because, it is not a question of if, but when, a security breach will strike in your organization. In addition, many companies still focus their security strategies on keeping outsiders from getting into the network. Yet a large percentage of serious security breaches come from within, by means of staff negligence, uninformed employees, and lack of consistent adherence to security policies. A number of organizations have not yet sufficiently locked-down their information, and so, the question remains: how can we guard against a security breach? Figure 1. What proactive steps has your organization taken to mitigate potential information security breaches?1 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 65% 70%
Created a formal, documented security policy Trained staff on informa�on management security policies Changed security and access rights to sensi�ve informa�on Procured technology such as an enterprise informa�on management system Limited personal device access to corporate informa�on No formal steps have been taken I don’t know
© AIIM 2016 www.aiim.org / © M-Files 2016 www.m-files.com
1
FOCUS ARTICLE Delivering the priorities and opinions of AIIM’s 193,000 community
Information Security: Staying Vigilant
Proactive Protection What is required to combat modern threats to information security is an approach that is both thoughtful and proactive. In AIIM’s view, information security is a process, and works through the holistic application of technology, policy, and culture. Some organizations have proven exemplary in aligning their information security to these principles and addressing vulnerabilities to a potential information security breach. Let’s look at what organizations are doing on the ground to directly address shortcomings in their security network, as well as reinforce efforts to protect important information assets.
Technology In the aforementioned survey, respondents were asked to comment on the proactive steps their organizations have taken to mitigate potential information security breaches. Fifty-nine percent of responding organizations have recently implemented new security solutions, systems, or protocols this year. Also, 47% of respondents cited having acquired in the past year a tech-based solution to fend off potentially costly security breaches. (Figure 1) Adoption of new information security technology is on the rise, and has proven to be an effective countermeasure to information security threats. This includes popular and emerging technologies such as adaptive access control, endpoint detection solutions, real time reputation services, hardware authentication, and tokens, as well as supporting technology, such as cloud services, data loss prevention technologies, and enterprise content management (ECM) solutions. Technology provides the front line to an external security defense, and can also be positioned to monitor internal security. Internal controls are implemented through access right systems and audit trails to ensure security regulations are properly followed. The takeaway however, is to ensure that technology acquisitions are aligned with your organization’s unique technological needs. Tech-based solutions are often most effective when designed for specific use.
Policy Policy is the foundation of every information security deployment. Findings from the AIIM survey reveal 62% of organizations have created formal information security policies, and have trained staff in their use. Security policies guide the operation of critical technology to maintain proper function, maintenance, and consistency, as well as unify corporate security priorities, provide guidelines, and elevate security awareness throughout the company culture. Overall, policy formally states management goals for secure information management and sets the groundwork to protect the enterprise from security threats. Policies are used to establish a variety of security controls such as establishing user permissions and limiting personal device use. Notably, 59% have changed security and access rights to sensitive information, and 45% have mandated limited personal device access to corporate information.1 The ability for staff to access data concurrently, or remotely—perhaps on shared file shares or a cloud solution—as well as conveniently on their preferred devices, offers great flexibility to the enterprise; however, at the same time, with this flexibility comes greater vulnerability to security breaches, and increases risk of disclosing information to unauthorized users. Accordingly, policies provide framework to regulate access to corporate information.
© AIIM 2016 www.aiim.org / © M-Files 2016 www.m-files.com
2
FOCUS ARTICLE Delivering the priorities and opinions of AIIM’s 193,000 community
Information Security: Staying Vigilant
Keep in mind that security policies must be drafted, executed, and supported for extended use. Policies must be embraced by the entire organization, from end users to upper management, to maintain continuity and compliance. In addition, policies should be evergreen documents—as it’s important that security documents reflect actual practice. Perennial revision, maintenance, and upkeep are essential to maintain relevancy and adherence, and keep pace with rapidly changing information security threats.
Culture The final element of a well-rounded information security defense is culture, and by extension people. Understanding and leveraging the corporate culture is useful in building awareness to established security guidelines and policies. Security-aware employees aligned to and trained in organizational security priorities helps maintain proper function of information security technology, policy, and process. In addition, policies often work hand in hand with culture, as it is corporate culture and employees which maintain and carry out their strictures. Departments and staff should share a universal mentality, style, and routine when managing enterprise information, and consistently act in accordance with agreed upon policies. Staff should be trained in proper use of security technologies, as well as regulations, and be audited regularly to ensure compliance.
© AIIM 2016 www.aiim.org / © M-Files 2016 www.m-files.com
3
Information Security:
FOCUS ARTICLE
Staying Vigilant
Delivering the priorities and opinions of AIIM’s 193,000 community
Conclusion While it is impossible to eliminate the risk of a security breach entirely, a coalition of the three principles - technology, policy, and culture - is the best course of action to protect against this dynamic threat. Keep these best practices in mind when implementing information security processes to prevent security breaches: n Assess your organization’s unique technology requirements before acquiring new information security solutions. n Establish a continuous review cycle of security policies. n Identify how your company can best cultivate a culture of security awareness? n Have executive consensus and sponsorship when executing information security policy in your organization. n Provide equal attention to both external and internal threats.
References 1
AIIM Survey– Information Security Survey www.aiim.org/research
About the author Thomas LaMonte is an AIIM Market Intelligence Researcher well versed and credentialed in the fields of ECM, ERM, and BPM with a heightened focus on solving the operational problems of today’s businesses. Thomas LaMonte Market Intelligence Researcher, AIIM
© 2016
© 2016
AIIM M-Files 1100 Wayne Avenue, Suite 1100 5050 Quorum Drive, Suite 600 Silver Spring, MD 20910 Dallas, Texas 75254 +1 301 587-8202 +1 972 516-4210 www.aiim.org www.m-files.com
© AIIM 2016 www.aiim.org / © M-Files 2016 www.m-files.com
4
Information Security:
FOCUS ARTICLE
Staying Vigilant
Delivering the priorities and opinions of AIIM’s 193,000 community
About M-Files
M-Files enterprise information management solutions (EIM) improve and simplify how businesses manage documents and other information in order to become more productive, more efficient and stay compliant. M-Files eliminates information silos and provides quick and easy access to the right content from any core business system and device. M-Files achieves higher levels of user adoption resulting in faster ROI with a uniquely intuitive approach based on managing information by “what” it is versus “where” it’s stored. With flexible on-premise, cloud and hybrid deployment options, M-Files reduces demands on IT by enabling those closest to the business need to access and control content based on their requirements. Thousands of organizations in over 100 countries use M-Files as a single platform for managing their critical business information, including companies such as SAS, Elekta and NBC Universal. M-Files 5050 Quorum Drive Suite 600 Dallas, Texas 75254 972-516-4210 www.m-files.com
AIIM (www.aiim.org) is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants. AIIM runs a series of training programs, and provides industry certification, including the Certified Information Professional. http://www. aiim.org/Training AIIM 1100 Wayne Avenue, Suite 1100 Silver Spring, MD 20910 +1 301.587.8202 www.aiim.org
AIIM Europe Office 1, Broomhall Business Centre, Worcester, WR5 2NT, UK +44 (0)1905 727600 www.aiim.eu
© AIIM 2016 www.aiim.org / © M-Files 2016 www.m-files.com
5
