A new study highlights a growing problem for businesses: With all the focus on protecting data, companies fall short when it comes to actually using the information they have on hand.
The findings show that there’s a fundamental problem companies have striking a balance between protecting sensitive information while still using it to their advantage.
As Christian Toon, head of information risk for Iron Mountain, states in the report:
[The majority of organizations] are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth.
The report finds that on a scale measuring information risk, the average company ranks only 58.8 out of 100.
The scale’s weighting is proprietary, so it’s difficult to be sure exactly how accurate it is. But it accounts for companies managing of risk as it relates to people, communication, security and strategy. And it also weighs more favorably when companies have means for evaluating their effectiveness in these areas rather than just checking a box.
According to the survey’s findings on North American enterprises:
- 90% have a formal, monitored business recovery plan
- 77% have an information risk strategy in place and monitor its effectiveness
- 73% have employee guidance on safe disposal and storage of electronic documents and monitor the results, and
- 71% of mid-market companies include information risk and awareness in their onboarding process.
These are all good measures to have in place. But improvements can be made.
But as the old saying goes, you can’t improve on what you can’t measure.
It’s important to build a baseline on several fronts to be sure that your data protection plan is working.
Some areas to consider include:
- Testing users. By giving users and IT employees quizzes on policies, you can see whether training has actually sunk in. Repeating the tests periodically can help highlight which areas are showing improvement and which need further focus.
- Surveys. Rather than just finding out if users know your policies on data transfer, ask which policies they’re most confused about. Anonymous surveys can help guide which areas will need more attention in training or policy reviews.
- Reviewing logs. Checking control systems and comparing data between them can show if there’s any strange activity with your data. It’s especially important to use this to establish a baseline for “normal” activity.
- Penetration tests. In addition to testing your users, you’ll also want to test your defenses. An outside party could help with these tests in order to determine whether attacks are able to get through.
As the report observes, however, IT’s role is not just protecting data. Companies should be leveraging this information to their advantage.
Here are some ways IT can aid in that process:
- Stress the can-dos. Rather than focusing solely on banned data transfer policies, emphasize safe transfer policies. By putting it in terms of what users can do with data rather than what they must not do, you’ll not only get more use out of the information, you’ll also likely get more compliance with policy.
- Create inter-departmental groups. Team up with other departments, such as HR, legal or finance, to determine what use you should be getting out of the data you have available. It can also help establish rules and policies to refer back to in tricky situations.
- Classify everything. Make sure the data you collect is classified according to its sensitivity. This can help protect the most valuable information as well as freeing up less valuable info that might otherwise get caught being treated with kid gloves.