Chapter 1
The Case for Information Governance
Abstract
In today’s information age, are businesses protecting their most important resources: company and client data? Annually, businesses lose billions of dollars due to data leakage, on top of which the government often imposes millions in fines. This does not include the irreparable damage caused to a company’s reputation. It is not a matter of whether you will be a victim; it is a matter of when. In this chapter, the authors explain why implementing a solid information governance plan is the key to avoiding becoming a victim and to keeping your company’s proprietary information safe.
Keywords
Information Governance; Small business; Medium size business
Guarding assets, staff, and accounts has always been a key to protecting businesses. But in the information age, are you protecting your most important resources—company and client data? Each year, businesses lose billions of dollars due to data leakage, on top of which the government often imposes millions in fines. In addition, leakage can cause irreparable damage to your company’s reputation. It is not a matter of if you will be a victim; it is a matter of when.
We have all heard the old adage that an ounce of prevention is worth a pound of cure. When it comes to data management, that pound of cure may not be available, so the new adage might be that an ounce of prevention is worth preventing the total destruction of your business. The ounce of prevention is information governance, and—if you are like most people—you have no idea what that is or how to take advantage of it.
This book explains how you—as a business owner, executive, or even someone just interested in keeping their proprietary information safe—can better adapt to twenty-first-century threats. By understanding the changing landscape and moving your organization to be focused and data centric, the damage or loss of your key information can be minimized if not out-right prevented. We will break down for you what information governance is and does for different sized companies. Large, medium, and small companies all have unique circumstances that will be addressed. Additionally, we will discuss what they have in common. Information governance has many standard issues that can and should be addressed across all organizations.
One of the benefits of reading this book is the impact on your personal life. While this book is written to help in business, many of the tools and habits discussed are important for individuals. Digital threats affect people at work and at home. Be mindful as you read to see the parallels to your life away from the office.
Let’s start with a bold statement: information governance is not a function of your information technology group. It is a base-level management function, much like human resources or finance. A properly developed and managed information governance program protects your company and keeps it effective and efficient. It helps to manage compliance issues and can be vital in defending against litigation. It will make employees more satisfied and secure in their work and limits your risk of loss from human error. Information governance is more than an IT problem that needs to be solved; it is a systemic solution to counteract threats, alleviate inefficiencies, and prepare for the future.
Take, for example, the story of an architectural firm located in the southwestern United States that was happily doing business as a profitable midsized company in the spring of 2011. The employees were engaged. The clients were happy. The company was making money and having a great time. All seemed well, so what could go wrong?
During that time a senior designer with full access to the client base and design work resigned and went to work for a competitor. In very short order, clients started leaving and much of the work was shifted to the competing firm by whom the employee had been hired. Not good.
In an effort to stop the bleeding, the firm’s owner went to his attorney to take action on this sabotage by stopping the theft of clients and company designs. Upon review with legal counsel it was determined the employee had never been asked or required to sign a nondisclosure or a noncompete agreement. The owner even contacted law enforcement in an effort to right the wrong, but received the same response. There was nothing they could do. The former employee was not in breach of contract, nor could criminal intent be proven in a court of law.
The victim company was able to recover, but only after shrinking in size, laying off office personnel, and moving to a new, smaller building. Several years later, they have still not fully regained their previous work levels. The situation was tragic and preventable. It occurred because the architectural firm did not have a policy that addressed data management and access. They had no employee agreements to hinder or address the theft of intellectual property. They had no information governance program to steer management to avoid such problems.
Information Governance
So what exactly do we mean when we talk about information governance? It is a set of established policies and procedures you and your employees implement and follow in order to manage sensitive and proprietary information.
For smaller businesses, which can be anything from a sole proprietor up to approximately fifty employees, participation in information governance should be from the top down. The smaller the organization, however, the more concentrated the development and implementation can be. Ensuring that everyone understands what they are supposed to do with important information and how to do it can make the difference in protecting the company’s vital interests. This understanding evolves as the threats and benefits of the digital age become clearer. Likewise, information governance can be applied in such a fashion that the company’s performance improves, productivity increases, and employee satisfaction can be positively impacted.
So does the small business need to be concerned with taking the same actions as the big guys on the block? Absolutely! Loss and compromise of important information knows no boundaries. Small businesses are just as susceptible to threats, whether it is inadvertent yet preventable damage to proprietary information or the nefarious actions of some individuals interested in disrupting operations. But even if a lone employee operates the small business, that person needs to be just as vigilant in following the proper procedures to protect the company’s interests. In some instances, a small yet successful business is a greater target, as it may appear less diligent and secure than a larger organization.
A medium-size company (50–1,500 employees) will have the same interests, yet based on its size, there may be fewer levels. Officers in the company will likely have multiple roles and broader discretion in implementing procedures, along with the ability to change those procedures as the need arises. Most medium-sized enterprises drive decisions to lower levels, which in effect makes an information governance program and its corresponding communication mechanisms even more important.
For large businesses (over 2,500 employees), participation by personnel would incorporate all facets of the company, from the CEO down to the front-line employee.
The Small Business
In many small businesses, just one person is in charge. The owner is responsible for everything, be it marketing, sales, operations, finance, or strategy. The dilemma facing most small business owners is staying on top of all of the details while keeping the business profitable. Small business owners have enough to worry about without having what they might perceive as unnecessary responsibilities placed upon them. The case for information governance, however, is much like purchasing insurance. Policyholders hope never to use the insurance, but they understand the risk and plan accordingly.
A Ponemon–Experian cyber insurance study determined that nearly 20 percent of all cyber attacks are specifically aimed at businesses with 250 or fewer employees.
1 For a small business, information governance is just another layer of insurance, but one that is more likely than not to be put into use. The results of not having an information governance program can be devastating for a small business.
An excellent example of a small business that needed a solid information governance policy is a real estate investment company owned by Jeff. Jeff has a thriving business. He makes a nice living and enjoys what he does. His six employees seem to be satisfied and everyone works well together. Everything appears to be fine. Yet as the company clicks along, a danger hides within the work force. A trusted employee is harboring ill will and thinks he can do what Jeff does—and profit like Jeff does. But whereas Jeff built his company over time from the ground up, the nefarious employee is looking for a quicker way to make money.
Initially, the employee adds some items to his expense reports, but soon moves to demanding—and getting—kickbacks from contractors. Eventually, this hidden threat finds a way to skim profit off the sale of properties, too. His actions go unnoticed by Jeff, who has nothing in place to check on the integrity of employees or to verify the financials being reported. Jeff is a victim and does not know it. He has no system to identify the issue. He just notices his numbers getting slightly worse over time.
This is a sad but common issue with small...
