At MapleSec 2023, Richard Freeman, portfolio manager and business EWS marketing for Ricoh Canada, shared his research, tips, and tricks on how to manage business information in a presentation called Unlock the power of information.
Freeman said he hoped to open the eyes of fellow business leaders to the amount of personal information that is readily available to cybercrime attacks, the amount of outdated or useless information many organizations hold on to, and the risks that come with not following cyber security regulations.
According to a Cybersecurity Ventures survey, cyber crime was a US$3 billion industry in 2015, and will grow to a US$10.5 billion industry by 2025.
Unfortunately, many businesses feel a false sense of security when it comes to their own information protection. Freeman used the example of hiring managers, noting that their information collection, of things such as resumes, CVs, and onboarding information, which is continuously being duplicated outside of HR, is a common example of how personal information is mismanaged.
“With this information, we also have their social insurance number, banking information address, spouse’s name, all the things we need to steal an identity. Neither HR nor IT even knows the data is there,” he said.
The importance of organization
Integrating information governance, which involves coordinating people, processes and technology, into an enterprise is essential for maintaining order within the business, he noted. This entails developing a cohesive strategy for handling all aspects of organizational information, including how it is collected, managed, and discarded.
Organizations can implement a cybersecurity framework that will permit the flow of information to those who need it, but protect the organization as a whole. Freeman recommended choosing one of the following frameworks:
- National Institute of Standards and Technology (NIST)
- International Organization for Standardization (ISO)
- Center for Internet Security (CIS)
Between framework implementation, education and best practices, he said, organizations can mitigate much of the risk and bolster productivity and profitability.
Where is your data?
In the process of defining a good operational framework, Freeman discussed the three levels of data most organizations have: Business critical data, dark data, and redundant, obsolete and trivial data (ROT).
While business critical data is information that is necessary for a business to be useful, dark data is the mass of other information enterprises collect, process, and store. Dark and ROT data take up the bulk of most organizations’ storage.
Not only is this information taking up storage space, it can be costly. When threat actors strike, they look for items they can monetize or disrupt— like banking info, names, addresses and the like. ROT and dark data can hold this type of information without organizations realizing it.
With these types of risks, paired with the constant sharing of information to smartphones and home offices, Freeman recommended using data mapping and file analysis tools to assess possible privacy breaches or other threats.
Challenges and risks
From a legal standpoint, it is important organizations understand the risk of mishandling secure information. Freeman referred to several major fines levied by the GDPR in Europe — not fines due to a breach, but fines due to organizations not handling information properly.
“Some of the reasons these fines were issued are: insufficient legal basis for data processing, non-compliance with general data processing principles, insufficient fulfillment of information obligation and insufficient fulfillment of data subject rights,” he said.
In order to avoid financial repercussions and privacy concerns, Freeman recommended the following:
- Identify the personally identifiable information readily available, and use the high water mark when concerning privacy – consider the strongest legislation, such as GDPR, and work from that;
- Identify ROT and remediate it;
- Archive what is of business or cultural value;
- Monitor data stores regularly;
- Review policies;
- Know what you have, know why you have it, know what the risk is in keeping it.
To hear Freeman’s full presentation on the power of information, visit this link.