MALAYSIA ASEAN/APEC LEAD CONSUMERIST DR JACOB GEORGE ASKS – IS PERSONAL & ORGANIZATIONAL DATA AT RISKS THANKS TO ONLINE SOCIAL SERVICE PROVIDERS AND A LACK OF LEGAL ENFORCEMENT THROUGH LEGISLATION?
In all major jurisdictions, ASEAN or APEC let along elsewhere in Europe, South Indian continent, West Asia, the African continent and thanks to constant media attention and consumer advocacy not just organizations but individuals must be concerned what might come into one’s personal environment but also how one’s personal data and information can be abused!
There are data and reports that in the past were ignored now a point of close contention when we have indication that data theft growing at more than 650% over the past three years according to the FBI!
As such there is an awakening that one must prevent internal leaks of both personal and organizational financial, proprietary and nonpublic information.
This is why I have repeated urged and lobbied governments that we need adequate protect in this area!
With increasing number of dating agencies, social media business, financial institutions, healthcare institutions and publicly traded organizations, banks to create consumer privacy policies and procedures that help them mitigate their potential liabilities.
And to look at this I went undercover using some this week!
In our response one can try to suggest some key ways we can keep and isolate nonpublic information private.
Step 1: Organizations/Consumers need to identify and prioritize confidential information
This is no rocket science!
But despite so we have a situation that vast majority of organizations and private citizens/consumers have no knowledge how to start protecting confidential information.
I take the stand that by categorizing types of information by value and confidentiality, consumers, private citizens and corporations can prioritize what data to secure first.
In my advocacy experience, customer information systems or employee record systems are the easiest places to start because only a few specific systems typically own the ability to update that information.
On the other hand, social security numbers, account numbers, personal identification numbers, credit card numbers and other types of structured information are finite areas that need to be protected.
And certainly, I take the stand that securing unstructured information such as contracts, financial releases and customer correspondence is an important next step that should be rolled out on a departmental basis.
Step 2: Study current information flows and perform risk assessment
Basically what I am alluding to is, that it is essential to understand current workflows, both procedurally and in practice, to see how confidential information flows around whether in the personal orbit or an organization’s universe?
Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of leakage is far more challenging and requires a more in-depth examination.
Consumers and Organizations need to ask themselves the following questions of each major personal and business process:
Which participants touch these information assets?
How are these assets created, modified, processed or distributed by these participants?
What is the chain of events?
Is there a gap between stated policies/procedures and actual behavior?
By analyzing information flows with these questions in mind, I will go as far to state that consumers and companies can quickly identify vulnerabilities in their handling of sensitive information.
Step 3: Determine appropriate access, usage and information-distribution policies
Based on the risk assessment sometimes engaging professionals in risk management or security a consumer or organizations can quickly craft distribution policies for various types of confidential information.
These policies govern exactly who can access, use or receive which type of content and when, as well as oversee enforcement actions for violations of those policies.
And if anyone within the system or organization is violating or selling personal and organizational data for financial gain?
In my experience, four types of distribution policies typically emerge for the following:
- Customer information
- Executive communications
- Intellectual property
- Employee records
Once these distribution policies are defined, it does not end there but there is a need to implement monitoring and enforcement points along communication paths.
Step 4: Implement a monitoring and enforcement system
The ability to monitor and enforce policy adherence is crucial to the protection of confidential information assets.
Control points must be established to monitor information usage and traffic, verifying compliance with distribution policies and performing enforcement actions for violation of those policies.
Like airport security checkpoints, monitoring systems must be able to accurately identify threats and prevent them from passing those control points.
Due to the immense amount of digital information in modern organizational workflows, these monitoring systems should have powerful identification abilities to avoid false alarms and have the ability to stop unauthorized traffic.
I am advised by professional with more knowledge than I have on this matter, that a variety of software products which can provide the means to monitor electronic communication channels for sensitive information are available!
Step 5: Review progress periodically
As my late father, an educationist, used to say “Boy – lather, rinse and repeat!”
For maximum effectiveness, consumers and organizations need to regularly review their systems, policies and training.
By using the visibility provided by monitoring systems, organizations can improve employee training, expand deployment and systematically eliminate vulnerabilities.
In addition, systems should be reviewed extensively in the event of a breach to analyze system failures and to flag suspicious activity.
External audits can also prove useful in checking for vulnerabilities and threats.
I am advised from the professionals that both consumers and companies often implement security systems but either fail to review incident reports that arise or to extend coverage beyond the parameters of the initial implementation.
And they concur that through regular system benchmarking, consumers and organizations can protect other types of confidential information; extend security to different communication channels such as e-mail, Web posts, instant messaging, peer-to-peer and more; and expand protection to additional departments or functions.
One final word!
Protecting confidential information assets throughout by consumers and organizations is really a journey rather than a one-time event.
It fundamentally requires a systematic way to identify sensitive data; understand current business processes; craft appropriate access, usage and distribution policies; and monitor outgoing and internal communications.
Ultimately, what is most important to understand are the potential costs and ramifications of not establishing a system to secure nonpublic information from the inside?
While on this topic, I must congratulate the Indian judiciary for a recent landmark decision on personal data protection!
Once again that judiciary stands tall!
I will raise this issue on personal and organization data with Malaysian Premier Najib Tun Razak and friends in the Malaysian cabinet soon as I am aware of their great concern in this matter!