While data is an undeniable asset for all companies, the General Data Protection Regulation (GDPR) reminds us that it must be handled carefully with regard to individual rights. Like all wealth, data is coveted and its frequent theft is harmful in more ways than one. Brief summary of the top 5 of the biggest risks…
Of the 195 countries in the world, 137 enforce data protection and privacy laws.
Companies that do not respect the law find themselves facing sanctions: fines or censure, sometimes with or without suspension for the manager, and prison terms. For example, a large hotel group was sentenced to a fine of 600,000 euros by the CNIL for commercial prospecting without the consent of the persons concerned and for not respecting the rights of customers and prospects.
It’s better to know the legal requirements.
The next legal obligation is 2024 with the electronic invoicing obligation.
To contain these legal risks, it is advisable to adopt a global approach and align with the company’s strategy such as diversification of its activities or setting up in new countries, which includes, for legal reasons, obtaining certification on such and such standard but also because it constitutes a competitive advantage.
A regulatory and regulatory watch makes it possible to anticipate changes.
These regulations and standards should be broken down into small digestible pieces by the teams so that they can be converted into operational processes and implementable processes.
Once the mechanism is in place, it is necessary to get certified and verify compliance through internal and external audits. These audits may reveal defects that need to be addressed with preventive and remedial actions.
Reputations can also be damaged by scandals, product recall campaigns, bad reviews on social networks, and data leaks. This was the case of a well-known sports store brand, where last year 10% of the workforce was affected by the disclosure of personal data on the Internet, and for context, in the case of VTC drivers, where a breach affected data. 57 million people, drivers and customers.
We must avoid inside-out data leaks caused by unscrupulous colleagues or human errors, and cyber attacks, outsiders trying to get inside the company’s information system.
It is essential to ensure that elements of the IT infrastructure are well configured and updated regularly, whether they be routers, switches, storage space, servers or operating systems.
An IDS system (Intrusion Detection System) makes it possible to detect an intrusion so that it may not be realized until it is too late, when hackers may have accumulated data for months or even years.
We can also set up counter-attack systems to fight DDoS attacks, which aim to saturate the servers with too many requests. And of course, beware of malware hidden in email.
An appropriate access rights policy based on metadata, neither too rigid nor too loose, is more dynamic than definition by groups.
Data link prevention functions help limit the risk of data leaks.
To manage exchanges with the outside world, the best answer is to use a secure collaborative portal. This avoids using online applications not validated by the IT department, which is called shadow IT.
Risk of loss of productivity/competition
Information fragmentation and bad work habits hurt productivity. As a result, the search for information becomes time consuming.
At least 6 systems, accounts or applications will be used by employees daily, which will generate a lot of copy-paste. Similarly, the mailbox will be consulted 10 times per hour.
Poor information management increases the stress level of half of employees. It accounts for about a quarter to a third on balance between personal life and professional life and to about a quarter on overall job satisfaction.
Productivity issues can turn into human resource issues.
The absenteeism rate in France is set to increase by 37% between 2017 and 2021 and by 54% among youth in 5 years.
We need tools that are easy to use and facilitate information discovery. The way an accountant searches for information will not be the same for someone in the IT or marketing department, so you should not apply the same classification, but multiply the angles of classification, without duplication of information.
Callbacks and workflows should be used to avoid failures.
With one interface, it’s ideal to provide a 360° view of the information.
Integration with Office tools and interfacing with tools such as SharePoint are very important, as they enable the power of information management tools to be brought into these solutions. It avoids switching from one interface to another, wasting time, getting confused and hence errors.
Finally, it is important to measure good adoption of information management solutions and ensure that the adoption rate is optimal.
Human risk includes negligence and malice.
Whether it’s a professional USB key lost in the public domain, or a fraudulent email being opened, human error is always possible despite IT security.
Telecommuting increases the risk with easy passwords, file sharing, phishing and hacking.
Another risk is loss of consciousness when an employee leaves the company, hence the interest in establishing collaborative workflows.
The policy of assigning access rights prevents loss when a person leaves the company. A good employee onboarding process can help avoid human error.
To see where the fault lies, it is essential to have good visibility on what happened when the data was leaked.
Companies do not realize how important it is to have information, responses to calls for tenders, for example, can prompt future calls and be taken up during project realisation. This is done by linking documents to each other: this constitutes an information graph.
Each company has its own technical legacy, with heavy and outdated systems, which are expensive to maintain and manage, which no longer develop, but which they do not abandon and to which they add SaaS solutions, eventually a thousand-tech sheets create scatter data against which they then try to fight.
To prevent damage to technology from running smoothly, it is better to avoid multiplying systems, as each brings its own share of specific risks, to avoid interruptions in service by guaranteeing high availability, which requires redundancy. Business Continuity (PCA) and Business Recovery (PRA) are required for forecasting. In the event of an internet outage in offices, it is essential to have a plan to switch to teleworking, for example.
Over time, it must be checked that IT is scalable and will adapt to increases in power, guaranteeing a certain reversibility with extractable data, in a clear, unencrypted format, so that they are readable.
About the Author
By Malo Genequin, Pre-Sales & Solutions Director at M-Files