Risky business

Analysis of Recommind’s 2010 Edisclosure Survey, as discussed at a recent industry roundtable – plus information on the launch of a new website dedicated to helping those responsible for keeping our information safe

When it comes to IT-related buzzwords, the concept of information risk management is nothing new. Organisations have been tightening their security issues – and spending a lot of money on technology in the process – for years. Prominent drivers that immediately spring to mind for the initial influx include the introduction of Sarbanes-Oxley in 2002, and the emergence of e-mail as the de facto communication method for the forward-thinking organisation.

What has certainly changed is the sheer volume of information and data that the average business has to handle. Information overload has tested the mettle of even the most savvy information manager or knowledge worker, not only in terms of how to make it searchable and accessible in order to drive innovation and efficiency, but also as tighter enforcement on e-discovery is driven by numerous legal regulatory bodies and high-profile legal cases.

Media coverage of recent events including the Gulf of Mexico disaster involving BP, the Toyota product recall and Goldman Sach’s civil fraud case have highlighted the issue. Indeed, while the oil disaster on its own will not immediately strike an information management chord, BP’s subsequent failure to produce data in the aftermath of the episode – and the suggestion by journalists and industry experts that it may not have been completely in control of its business-critical information – hammers home the importance of being on top of your information risk strategy.

So, as all kinds of organisations try to cope with information governance, security breaches and data theft, reporting transparency and regulations – and that’s before they even have to consider the activity of their employees on social networking sites and corporate e-mail – one message is clear. Once regarded as a challenge to organisations headquartered or operating primarily in the US, e-disclosure is fast becoming a very real concern for organisations in the UK and elsewhere. And businesses cannot afford to be lackadaisical in their management of the electronic information, which could ultimately be called upon during litigation.

With that in mind, Recommind, the eDisclosure Information Project, Exterro, Field Fisher Waterhouse, IntApp, Legal Technology Insider and the Risk Roundtable have joined forces to launch the Inforiskawareness website. Primarily aimed at enterprises in the UK, the partner organisations hope to establish the site as a one-stop shop for all matters concerning the mitigation of information risk. Key topics that will be covered include e-disclosure, compliance, cloud computing, insider fraud, information barriers and confidentiality management.

The site will feature related news and events, knowledge resources including articles, research and white papers and a blog, with a view to encouraging organisations to use it as a meeting place to share ideas and best practices. LinkedIn and Twitter feeds are also in the pipeline.

Of course, while the website may prove to be a worthwhile investment in the long term for those partners offering technological and consultancy services, there is a need to raise awareness around information risk and the requirement for such a forum is clearly evident, if the results of related research by Recommind are a reliable indicator of the current state of play.

The results of the second annual E-discovery survey were discussed at a recent roundtable featuring a panel including Simon Price, European director at Recommind, as well as vice president of marketing Craig Carpenter; IntApps EMEA general manager Jon Roscow; and, Chris Dale of the eDisclosure information project.

Presenting the key findings of the research, which was conducted from an IT and CIO perspective, Carpenter’s opening comment was that there was good news and bad news. The former being that awareness of the issues surrounding governance and compliance issues had increased, perhaps in no small part due to growing media coverage. Seventy-nine per cent of respondents said that they were thinking of putting an information risk strategy in place.

On a less positive note, ‘ensuring compliance with existing and forthcoming regulations’ came second to ‘document management and enterprise search’, when respondents were asked where they were focusing their information management budget in 2010. E-mail management was also fairly low down in the list, at just 17 per cent, while document management and enterprise search were the focus of 38 per cent of respondents.

The disconnect between awareness and spend was linked to the fact that security breaches might be more visible purely because security is an ‘older’ and better understood issue. Another consideration was that if awareness had increased then the relevant programmes would surely follow – although the panel warned against complacency and referred again to the news items featured earlier, as a reason not to risk ‘playing catch-up’, to those organisations yet to move in this area.

“We want companies to be aware,” said Carpenter, adding that the problem was more urgent and acute than some organisations might give credit to when it came to budgeting.

Confusion over who within the organisation was actually responsible for information management, compliance and information governance was also a cause for concern. While IT, KM and information management may be on top of the day-to-day aspects of information management and retrieval, they might not have the level of understanding required to take on board the risk and governance procedures. A lack of correlation between information, legal and risk departments could cause serious problems – and IT hasn’t traditionally been perceived as maintaining close relationships with other areas of the business.

“We see this when we implement search products on the information management side and open up all their data,” said Simon Price. He added that many people didn’t understand that once you expose data through a more powerful system it becomes less secure – especially if people don’t understand the various rules and procedures that apply when they add content to the system. While the technological tools may support security, the people who manage the content needed to be trained in the appropriate use of the system, and where to store different information types.

Web 2.0 and social media
Another ‘surprising’ result was the prominence of Web 2.0 and social media tools, with 35 per cent of respondents considering them to be the biggest risks associated with their corporate information. Data breaches and fraud (91 per cent) and compliance and regulatory investigations (44 per cent) were perceived as the biggest threats (see Figure 1) but social media still made up 35 per cent of the results – ahead of new technologies including cloud computing and hosted data (24 per cent).

This particular finding prompted an in-depth discussion, focusing mainly on issues surrounding network monitoring and personnel training, in the use of social media technologies.

While operating in the cloud carried its own risks, they could be somewhat insured against through effective service-level agreement negotiation.

On the other hand, potential risks associated with the use of social media centred around more woolly, end user behavioural issues, which could prove difficult to train for. The point was also made that at any given time contractors could be coming in and out of organisations – and that there is currently a whole generation of users who conduct the majority of their communication on social media sites.

Therefore, such individuals need to feel comfortable – and happy – in their work environments, so that they aren’t tempted to place their own career and their company’s information at risk by posting disgruntled comments (or giving away client know-how or relationship statuses), which could later be called upon.

In this sense, the ‘insider’ potentially carries more risk than the ‘outsider’ when it comes to information security.

E-disclosure
Returning to the subject of litigation and e-discovery, Chris Dale of the eDisclosure Information Project pointed to a rise in the number of UK judgements in recent months, where organisations and individuals had been ‘scarred’ by “… oversights that were wholly inexplicable by any standard, never mind the rules.” He described e-discovery as a process that had switched from being the right thing to do, to an important aspect of any information risk policy – but also commented that many people have actually been put off litigation because of the perceived cost of e-disclosure, which was an area that needs to be addressed. He added that more attention needed to be paid to the existing rules and cost awareness – as in many cases that he had seen involving regulatory bodies, cost wasn’t a significant issue.

Closing thoughts
The overriding message was that while organisations may have previously been complacent in the area of information risk, it is an issue they can no longer afford to overlook – and failure to implement effective risk policies could cause major issues further down the line. The panel urged businesses to be proactive and to think ahead of the curve, stating that ignorance would not be a defence when new rules and regulations are enforced.