Information management is the key to cybersecurity

Joe Shepley discusses the key role that information management plays in cybersecurity. Organizations may have very robust cybersecurity software and systems, but data theft is something that can be managed only with proper information management processes. Data theft is what happens when a bad actor — either internal or external — enters the network and takes control of a device or devices in order to steal or compromise data (e.g., through encryption). 

An effective information management program helps organizations keep the data they need (i.e., data with legal or operational use) and purge the data they don’t (i.e., data that’s past its legal or operational life). Effective information management reduces the information footprint of an organization, which means less data for bad actors to steal. It also means that an organization’s limited resources can focus on protecting a smaller set of relevant data.

Shepley proposes the following steps to ensure proper data retention:

  1. Data map – Determine what data we have, where data is and who owns it.
  2. Policy infrastructure – Put policies in place to manage information throughout its lifecycle (including data that’s been orphaned or abandoned).
  3. Content assessment – Scan content to determine what is junk, stale and sensitive, as well as whether the security and access for this content is appropriate.
  4. Remediation and clean up – Based on policy and the results of the content assessment, purge junk/stale content and remediate inappropriate security and access.
  5. Monitoring and prevention – Scan the environment on an ongoing basis to identify both non-compliant activity (e.g., mishandled PHI) and growth of stale/junk data and take action to address.

I am glad to see that all these activities are covered in my records and information class.

 

Millennials and knowledge sharing

This post examines how the knowledge-sharing practices of millennials can affect the organizations for which they work.  The article discusses the importance of collaboration in the workplace, and notes that while older workers prefer face-to-face interactions, for millennials, this is anathema. They would rather communicate using online meetings, chat apps or online tools to get things done. A coffee and a face-to-face meeting is too outdated for them. I’m not a millennial, but I have to agree with them on this one, but this might be related more to my introversion than it does to my age. This is the danger of generalization, of course.

The author notes further that it is the millennials who want tools to help them work through a problem the fastest. When looked at by age groups, a large number of millennials (71%) said they face challenges with their collaboration tools, compared with Generation Xers (62%) and baby boomers (45%). The always-on generation need [sic] to fix their cravings for information instantly.

The author points to the importance of having collaborative tools that function efficiently, but that have robust features to maintain the integrity and security of information.

How 5 Digital Assistants Use Your Data

This article provides useful and sobering information about how the digital assistants Siri, Cortana, Amazon Alexa, Facebook M, and Goole Now use your data. The article highlights the privacy and security features of these digital assistants; for example: By using Siri, Apple adds, you agree to allow Apple and its subsidiaries and agents to transmit, collect, maintain, process, and use your voice input and user data. Amazon Alexa saves your voice recordings, but you can erase them via your personal settings. As we move increasingly in the direction of voice-activated applications such as search, and voice-to-text, we need to consider carefully the new  personal metadata footprints and trails that we generate.

Google, Apple, and Yahoo moving away from passwords

This article discusses efforts made my Google, Apple, and Yahoo to move away from password sign ins.  Passwords are often poorly structured and hard to remember; I know that many people use the same password for different sites for the sake of convenience. I could not keep track of my passwords without LastPass. Biometrics is certainly a growing area. I secure my smartphone, tablet, and laptop with my fingerprint. This system is more secure than a password, of course. I find it works well, although I often have to swipe my thumb more than once to unlock the device; if I have any body lotion or moisture on my skin, for example, the device cannot read my fingerprint. There is a backup password for your fingerprint if, say, you injured your finger and are wearing a bandage, plaster, and so forth. Retinal scanning would be more convenient, but we’re not there yet. I know that you can use voice or photo recognition via Windows Hello, but I still prefer to use my fingerprint, as I think it’s less amenable to distortion. I am prone to throat infections, for example, so I don’t think that Windows Hello could manage access when I have laryngitis.

 

2015 information security breaches survey

The 2015 information security breaches survey was commissioned by the UK government, and conducted by PwC.  The executive summary highlights the following points:

  • 90% of large organisations reported that they had suffered a security breach, up from 81% in 2014.
  • The majority of UK businesses surveyed, regardless of size, expect that breaches will continue to increase in the next year. The survey found 59% of respondents expected to see more security incidents. Businesses need to ensure their defences keep pace with the threat.
  • For companies employing over 500 people, the ‘starting point’ for breach costs – which includes elements such as business disruption, lost sales, recovery of assets, and fines & compensation – now commences at £1.46 million, up from £600,000 the previous year. The higher-end of the average range also more than doubles and is recorded as now costing £3.14 million (from £1.15 in 2014).
  • Large and small organisations appear to be subject to greater targeting by outsiders, with malicious software impacting nearly three-quarters of large organisations and three-fifths of small organisations. There was a marked increase in small organisations suffering from malicious software, up 36% over last years’ figures
  • Staff-related breaches feature notably in this years’ survey. Three-quarters of large organisations suffered a staff-related breach and nearly one-third of small organisations had a similar occurrence (up from 22% the previous year).
  • When questioned about the single worst breach suffered, half of all organisations attributed the cause to inadvertent human error.

Fitness tracker privacy and security

A report on fitness tracker activity has just been published by OpenEffect,  Canadian not-for-profit applied research organization focusing on digital privacy and security, and The Citizen Lab at the Munk School of Global Affairs, University of Toronto. The scope of this report is as follows:

Every Step You Fake explores what information is collected by the companies which develop and sell some of the most popular wearables in North America. Moreover, it explores whether there are differences between the information that is collected by the devices2 and what companies say they collect, and what they subsequently provide to consumers when compelled to disclose all the personal information that companies hold about residents of Canada.

The report does not contain any conclusions or specific recommendations yet, so this is obviously very preliminary at this point.  Some points raised, however, include:

  • Seven of the eight wearables tested revealed unique Bluetooth identifiers that  allowed them to be tracked by nearby Bluetooth beacons. Beacons are used more and more in stores and malls to profile shoppers and push tailored offers.
  • While the devices themselves show the wearers’ location, the accompanying apps provide more personal information, e.g., they failed to protect against interception and tampering when they were transmitting data between smartphone, wearable, and the wearable company’s own servers.

I have worn a fitness tracker for some years now, and I tend to not have my Bluetooth device active on my smartphone when I am away from home.  I sync my wearable device when I am at home.  I’m not sure how much protection this affords me.  The default setting on my Bluetooth is to not make the device visible to anyone other than me, but I’m not sure if this is sufficient.  I minimize the information I load to my tracker; I don’t include what I’ve eaten, or track my sleep, so at least I do control how much of my personal information is tracked.  Still, this report does raise a few red flags, even as preliminary as it may be.

 

11 information disaster risks

This article from Redpill Linpro discusses 11 information disaster risks, and the was in which proper document management can help avoid them. The built-in slides could make a useful teaching tool in my Records Management class.  The risks are:

  1. Increasing use of digital records
  2. The lack of information hubs
  3. The quantity of information produced
  4. The lack of proper document management tools
  5. Inefficient searching
  6. Interdependence of internal and external parties
  7. Different levels of authority
  8. Materials from external parties
  9. Multiple access points
  10. Different document formats
  11. Velocity of information

This is not a complete list, of course, since it doesn’t mention matters such as security, human error, and so forth, but this company produces document management software, so the emphasis of the 11 items is understandable.