#316 – WHAT IS INFORMATION RISK? – BILL POMFRET PH.D.

One of the fastest growth risks is Information which is the lifeblood of most companies, It can give insight into market trends and lucrative new market opportunities. Information describes performance  differ­ences between business units, teams, and individuals. It can record details on customers, prospects, suppliers, and business partners. It drives decision making, the formulation of stra­tegic goals, and the execution of daily tasks by everyone across the organization Information is valuable and becoming more so.

The Malaysian airline incident had occurred at some point during a nine-year period between March 2010 and June 2019, according to A statement by the company, sent to its Enrich frequent flyer members, said the incident did not affect itineraries, reservations, ticketing, ID card or payment card information. The breached data, however, does contain Enrich member names, date of birth, gender and contact details, in addition to frequent flyer number, status and tier level information.

As with anything of value, information is not risk free. The collection, storage, access, usage, and disposal of information is a breeding ground of risk. And as we have seen in recent events, an ounce of prevention is worth a pound of treatment. We think about information risk as having two faces: corporate risk and privacy risk. Corporate Risk. Corporate risk is risk to the corporate entity itself,    manifested in four ways. Business risk focuses on the factors that threaten the financial and business viability of the corporate entity.

For example, by using a file share system instead of a robust enterprise communication system with data loss prevention (DLP) func­tionality like SharePoint, an organization could be at risk of one of its departing employees taking a target client list or other sensitive doc­ument over to the competitor that hired them.

Operational risk is about disruption to business processes through ineffectual procedures, failed systems, errors by employees, and fraud­ulent or criminal activity.For example, when the City of Atlanta was hit with ransomware in 2018, it spent more than $17 million to restore operations after the attack. Preventing a successful attack from hap­pening in the first place (or having backup data to restore what was stolen) would have been a fraction of the cost.

Reputational risk is that information could be used to cause damage to other people and entities, where the corporation is the source of the damage and thus its reputation is tar­nished—with consequential financial damages to revenue, profitability, and market value. For example, the Cambridge Analytica scandal, which involved harvesting the personal data of millions of Facebook users without the user’s consent, has cost Facebook considerable good­will and damage to its brand equity.

Finally, legal and compliance risk is information that could be accessed, used, destroyed and manipulated in ways that violate the legal man­dates and compliance requirements imposed on the corporation. For example, a defense contractor was fined $75 million for ITAR violations.  While its fine was cut in half as a result of deploying AvePoint’s Compliance Guardian to prevent future data leaks, having better information controls from the beginning would have cost only a portion of the nearly $40 million fine

Privacy Risk. Privacy risk is not focused on the corporate entity itself, but rather the people (called “data subjects”) who have entrusted their personal data to another entity.

Privacy risk is that a data subject loses control over their personal information, and that it will be used for purposes beyond what it was given—which can occur within an organization or as a con­sequence of an organization having ineffectual safeguards around the personal data. Again, the Cambridge Analytica scandal is a good example of a privacy risk and its impact on individuals and the organization.

Drivers of Intensifying Information Risk

Information is increasingly difficult to protect, due to an explosion of more across five dimensions:

  • More Data. The volume of information available to the world is growing exponentially. Approximately 90 percent of the data that exists in the world today was created only within the past two years (Marr, 2015). That is equal to more than 1.7 quadrillion bytes of data being created every minute worldwide (Domo, 2017). That means there is potentially more sensitive information for organizations to protect every single day.
  • More Sources. New forms of personal data are being created by artificial intelligence and machine learn­ing technologies that enable deeper analysis of patterns of behavior over time for precision profiling and targeting. Modern search engine technologies aggregate, analyze and construct new levels of understand­ing from data sources originally collected for other purposes. New devices across many Internet of Things (IoT) categories are capturing, creating and storing previously ignored data points.
  • More Devices. Laptops are preferred over desktops, tablets have sold in the hundreds of millions units, the smartphone is the first screen people look at each day, smart watches track everything from exercise to fertility cycles, smart glasses overlay the physical world with point-in-place digital data, and a growing array of IoT devices measure, monitor and act as digital servants at home and abroad. The proliferation of devices storing or providing access to corporate, personal and sensitive data explodes the information risk surface, not just from unauthorized or inappropriate breaches but accidental loss and deliberate theft too.
  • More Cloud Services. Corporates can no longer rely on protecting information through strong network perimeter controls, as the move to the cloud advances and data is stored and accessed beyond the net­ On-premises infrastructure as a controlled repository remains vital for most organizations, but with estimates ranging from “dozens” to “hundreds of different cloud services being used by the average orga­nization, it’s vital to be able to protect information across a growing collection of disparate cloud services.
  • More Regulations. New privacy regulations and compliance standards are springing up across multiple state, country and international jurisdictions. Regional and national standards apply to both the commer­cial and public sectors in addition to international standards, such as ISO 15489, which outlines global best practices for information creation, capture and management. With additional and changing regulations, there are more risks for potential litigation, and devastating fines for non-compliance.

Common Information Risks in Collaboration Platforms.

Collaboration platforms can be on-premises such as—SharePoint Server or file shares—or in the cloud like Office 365, G-Suite, Dropbox and Box. Not all sources are created equal when it comes to information risk.

Generally, the substantial investment cloud pro­viders make in their infrastructure security makes the cloud more secure than on-premises solutions. Additionally, some cloud providers like Microsoft have invested in more native security and compli­ance tools than other vendors.

However, regardless whether your data is in an on-premise or cloud environment, or what ven­dor you’re using, collaboration platforms have common information risks that can be mitigated. These include:

Operational risk through constant usage in multiple daily business processes.  The relent­less frequency of use by employees across the organization increases the likelihood of inappropriate activities, ignored policies, and inadvertent breach.

Compliance risk through disparate and non-in­tegrated information protection approaches. While each collaboration platform is likely to offer its own approach for information protec­tion, the organization is left without a holistic approach.

The sheer number of different services, each with their own unique protec­tion controls, creates a complex and conflicting control space, which surfaces new information risks rather than dissolving current ones.

Dr Bill Pomfret; MSc; FIOSH; RSP. FRSH;
Founder & President.
Safety Projects International Inc, &
Dr. Bill Pomfret & Associates.
26 Drysdale Street, Kanata, Ontario.K2K 3L3.
www.spi5star.com      pomfretb@spi5star.com
Tel 613-2549233

Leave a Reply

Your email address will not be published. Required fields are marked *