Working out the weakest link in Information Governance
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There are many ways that an information governance system can collapse many ways, where even the finest of governance systems/tools can’t undo the damage. Consider this scenario: a disgruntled staff intentionally downloads a lot of company information containing not only customer details, but also business secrets.
Another scenario is where one staff was caught with what has been termed CEO phishing email. This happens when a staff receives an email from there CEO about intended mergers or divestitures requesting the staff carries out a particular task to ensure that the merger or acquisition deal goes on smoothly.
There is the adage that the “the chain is only as strong as its weakest link” and this truly reflects the way an organisation must approach their information governance. What are the necessary ways for company to figure out their weakest link and what are the steps that can be taken to ensure that the weakest link is immediately treated?
The best form of weeding out the weakest link within a company would be by carrying out social engineering table-top exercises. This means creating manipulating action links within emails and try to find out who clicks the link and when someone does, or a group of people do then the company identifies these individuals and try to put them into another training program.
Most stakeholders think yearly training is enough for their staffs. But I would argue that that’s quite a low ratio when it comes to the importance of information governance training. Again, I must add that generic training—which is quite often the standard practice in most industries—just doesn’t carry weight when it comes to using training to inspire culture, boost the necessary companywide action points and protect the business interests as required. What companies need exactly in treating the weakest link within companies is what I call “targeted training”.
What is targeted training? Targeted training is the system of understudying a particular department, for example, retail systems and looking in depth at the processes and business functions within that department and teasing out training in materials that would work for that department. If they handle tools or hardware facilities that delivers services to customers, then they must understand their positions about how their functions feed into the information governance methodologies.
There is no one way for companies to find out the weakest link within their companies and there are no unique methodologies for companies to employ when finding out the weakest link within their information governance structure. From a technical perspective, like I have mentioned in this space before, gap analysis plays a critical part in ensuring that some of these weaknesses can be highlighted.
It is good practise and as part of monitoring methodologies, stakeholders should always find out the best ways to find out the weaknesses that exists within systems and individuals within companies that need targeted training or further information security training. These steps will further solidify company information security framework.