What is Information and Why Protect it?
What exactly is information?
Information is often defined as data with context. By this, we mean presenting or grouping data together in such a manner that is understandable by the persons or systems accessing it. For example, the number 102275 does not mean very much – it is simply data. However, if we are then informed that this number represents a customer birth date (i.e. mmddyy 10-22-75), this data now has context and becomes potentially sensitive information.
Information can be represented in many forms. It could be an article written on paper or a document stored electronically, it could be sent in the post or transmitted electronically, displayed on a slideshow or spoken over the phone. As information is a significant asset to a business, it must always be protected regardless of the form or how it is stored or transferred.
What Types of Information Require Protection?
There are many different types of information that you will encounter on a day to day basis within the workplace. Let’s examine some common types and why each one may require protection. This is by no means an exhaustive list and there may be other types of information requiring protection in your workplace.
Intellectual property such as trade secrets, patents and trademarks is extremely valuable to a business. If this type of information is not appropriately protected, the business could lose any market lead or competitive edge and lose out financially.
Reputation and Brand
The protection of both reputation and brand are is of the utmost importance to any successful business. It takes years build a good reputation, but only seconds to destroy it. Successful brands can be valued in the $ billions, yet can be devalued by counterfeiting operations or others looking to trade off the brand for their own gain.
Personally Identifiable Information (PII)
Personally identifiable information such as social security numbers, customer addresses and dates of birth require protection in order to prevent identity theft and to comply with the many information privacy laws.
Financial information such as statements, bank account numbers and credit cards needs protection for financial regulation and legal compliance, to prevent fraud and to avoid the severe financial penalties associated with not protecting it.
You wouldn’t want anyone other than your doctor knowing your medical history, so understandably, this type of information must be protected and only made available to authorized individuals. If a person’s medical history were public, it could be unfairly used against them.
Mergers and Acquisitions
Companies often merge with, or acquire, other companies and this type of transaction creates information that needs protecting. If information about an upcoming merger or acquisition were to be leaked, it could harm all parties involved, affect share prices or be used for financial gain.
Information relating to the IT infrastructure of a company such as passwords, network details or firewall policies require the highest protection. This type of information is highly sought after by criminals, as the protection of all other information types usually relies on this being kept secret.
How is information represented?
Information can be represented through many different mediums and some of the most common representations now follow.
Electronic Files and Documents
Information is often stored electronically in files and documents, and must be appropriately protected when at rest (i.e. in storage) and when transferred, to prevent unauthorised access. Restricting access and/or encryption are the most common methods of protecting sensitive electronic files and documents.
Removable Storage Media and Devices
Information stored on removable storage media (e.g. CDs, DVDs) or devices (e.g. USB drives) is readily lost or stolen due to their small size. Therefore, sensitive information stored on removable storage media and devices must always be encrypted. Devices and software are available that will ensure all stored information is automatically encrypted.
Application Database Records
Sensitive information is often represented as database records, such as customer account databases. It is critical that these records are appropriately protected and access restricted.
Hard Copy Documents
Hard copy documents (e.g. paper based bank statements or financial reports) must be handled appropriately in accordance with their sensitivity. All sensitive information must be securely stored and then shredded when no longer required.
Email is a common method of communication and care should be exercised to ensure sensitive emails are encrypted so that they cannot be compromised. Never open attachments or click on links in emails from unknown or untrusted senders and look out for phishing emails that request personal information.