I am here at the Gaylord National Harbor as an invited panelist at the World Health Care Congress, to discuss security and risk related to cloud and mobile devices. While I find this an interesting, challenging, and important topic, it is not the technology I am concerned with as much as the human factor. For many years I have advocated that while we need to be aware of security threats to our information resources, it is the human factor that is by far the weakest link. This is holding true here at the Gaylord.
There are actually two events being held here, the WHCC and also one related to defense. (Being this is the greater Washington, DC area, no surprises there.) It is amazing how much information is swirling around these halls about product, prospects, and clients. It is not that I want to hear any of this - I do not - but I cannot avoid it as individuals increase their volume to be heard by their peers and those on phones feel that talking louder will be of benefit to the person on the other end as they compensate for the increased noise levels around them here. I am sure the executive teams for these companies would be surprised at what kind of discussions are being held. It is also amazing to me how many people will set up at a table here in the lobby with their laptop, and leave it unattended and unprotected while they go freshen their coffee. The fact they left it unattended is one thing as it could easily be taken, but to leave it on as well, so the world can easily see what you are working on, is another.
In my view, one of the biggest challenges faced by companies today in relation to information security is and forever will be the human factor. The technologies we choose are only as good as the humans with whom we entrust it. Leaving laptops unattended, verbosely discussing corporate business and confidential information in public settings are not things you can control completely but it is an area of concern and one that can and should be regularly addressed.
All of this falls squarely under governance and change management. If you want to protect your information, technology will bring you part of the way there and will allow you to react to breaches as they occur, but like any situation, the best approach is to be proactive and take preventive measures. Here are five simple but important things you can use as a guide to get you moving in the right direction.
1. Create a statement of risk tolerance - This is the level of risk the organization willing to accept and not accept in relation to information security.
2. Develop mobile device use guidelines/principles - Establish governance policies and procedures for appropriate use, roles and responsibilities, consequences, etc.
3. Include the business unit in the development and implementatiion - It is the business units that must be taught and will be held accountable so include them and learn their business requirements and do not leave it just to the lawyers.
4. Assign responsibility and accountability in the business unit - Establishing policies and procedures is only part of the puzzle. You must put into place ways to monitor and ensure policies are being followed and adhered to.
5. Train the employee base - Teach your employees about your policies, procedures, the reasons and importance for why they exists and use examples whenever possible. Demonstrate to them the consequences of lost information and point out real cases from the industry and news sources.
While this is no guarantee of securing your information and completely eliminating risk, it is a way to move forward in addressing the human factor to minimize of risk. You must look at your information management practices from a holistic perspective and include not just technology but the people and processes related to them as well.
If you are ready to move forward and are finding yourself stuck or unfocused and are not sure where to begin or what to do next, seek professional assistance and/or training to get you started. Be sure to investigate AIIM's Enterprise Content Management training program.
And be sure to read the AIIM Training Briefing on ECM (authored by yours truly). Click on the image to download and read.
What say you? Do you have a story to tell? What are your thoughts on this topic? Do you have a topic of interest you would like discussed in this forum? Let me know.
Bob Larrivee, Director and Industry Advisor – AIIM
Email me: blarrivee@aiim.org
Follow me on Twitter – BobLarrivee
www.aiim.org/training
#InformationGovernance #WHCC