What explains the lackadaisical approach to information security in many companies today? Rarely does a day go by without news of some company, big or small, being sloppy with their data - Adobe and PR Newswire being the most notable casualties of late. In the case of the latter, the risk of fake news releases could have had immensely damaging consequences. It was only in April 2013 that the Associated Press' Twitter account was compromised, with fake news of an attack on the White House causing the Dow Jones to plummet by 128 points in seconds.
In examining the causes behind such failures in information security, Michael A. Gold, partner at Jeffer Mangels Butler & Mitchell LLP in Los Angeles, has written an excellent article over on Bloomberg Law outlining the sloppy approach of companies to cyber security.
The obligation to maintain an effective information reporting system is directly related to maintaining a secure information system, and the failure to do so is, arguably, a measure of a director?s negligence.
Surrounded by potential attackers and undermined by their very own governments, businesses already face an uphill struggle in the realm of information security. Add to this the failure of many board directors to emphasise security, as well as the silos in which information management and information security operate, and the risks to information assets become quite evident.
Of course, it's not simply the serious damage that occurs to trust between customers and businesses when sensitive information is compromised. Companies now face increasingly hefty fines for failing to protect sensitive data. Despite the growth and growing importance of information assets, many businesses are still sloppy with these assets. But why?
Gold argues that there are three main reasons for why boardrooms are failing to address information security:
??Intimidation?Most directors, especially those in mature companies, are older and not as comfortable with digital technologies.
??Highly technical jargon?The information security industry uses jargon and code words that raise barriers to those who are not technically savvy.
??The rapidity of change in the digital environment?The information and digital technologies have very short life cycles, demanding almost constant attention. Corporate directors are unable to keep up as they have to focus on other work.
In addition to these, he highlights the assumption of many directors that their IT departments are most likely handling security.
...good IT is not good cyber security, and good IT often serves goals which arguably are counter to cyber security. Relying on IT for strategic data security can lead to a complacency that may be encouraged by the IT staff itself, who often do not understand all of the risks associated with their own systems or in fact see cyber security experts as a challenge to their authority.
Apart from the issue of faulty assumptions, what is required here is to close the gap between information management and information security. Indeed, information security is part of information management, but due to the tendency to create silos out of specialisations, we have broken down what should be a holistic approach to information assets.
In the era of mobile information, cloud computing and 'bring your own device', compromises will always have to be made between convenience and security, but this is not a zero sum game. Only when stakeholders recognise and understand the inextricable link between information management and information security can systems then be designed that strike the right balance between user friendliness and the protection of valuable information assets.
Photo: David Goehring
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.