by Kevin Craine for Workflow
With cybersecurity increasingly in the news, many organizations are taking another look at their own security. When doing so, there are many obvious areas to examine, but it is important to look closely at some commonly overlooked sources of potential security risk as well. Those include information captured in an image archive or document management repository, which can include data like social security numbers, financial and medical records, addresses and phone numbers. These pieces of information can translate into great prospect and profit for cyber-thieves. Is your organization protecting them?
Cyber-Theft on the Rise
Cyberattacks are regular news stories these days. The F.B.I. now ranks cybercrime as one of its top law enforcement activities, and federal spending on cybersecurity will jump to more than $19 billion in 2017, a 35 percent increase over 2016.
The harbinger of the current cyber-theft trend is the December 2013 breach of systems at retail chain Target. Now it seems another hack happens at least once a week.
The list of organizations hit by hackers grows every day and the victims read like a who’s who of today’s most prominent brands. Primera Blue Cross in Washington State said up to 11 million customers were affected by a cyberattack last year. The huge attack of IT systems at Sony essentially wiped clean several internal data centers. More recent newsmakers are such diverse entities as the DNC and Yahoo.
Increased Archive Security
What can you do to increase the security of your private data housed in image servers and document management repositories? It is important to adopt ever more advanced threat protection solutions and strategies that leverage new technologies and approaches. One method that can be effective is automatic redaction. In advanced capture systems, field-level redaction capabilities can conceal certain types of content before it is entered into an archive. Some systems go a step further with the ability to perform a look-back analysis that recaptures and redacts sensitive data that has been overlooked and could result in increased exposure and risk. These automatic redaction capabilities enable more comprehensive privacy and data security strategies that boost information governance overall.
Another important step is to recognize that not every bit of information contained on every document needs to be imaged and archived. For example, you may want to capture and identify a social security number on a contract or authorization form, but once that information is entered into a line of business system it may not make sense to store it an image repository. Indeed, the social security number may have no remaining value in terms of archive, but it certainly will present a significant risk if a security breach should occur. And a 20-year-old image archive may indeed be a tempting target for hackers. Automatic redaction is therefore an important capability because it gives organizations the tools and the ability to effectively address and manage the risk of handwritten data, and implement thoughtful strategies to protect that information from data breaches and cyber-attack.
Critical Security Controls
The Center for Internet Security (CIS) is an organization dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. CIS is the current home of CIS Critical Security Controls for Effective Cyber Defense, a list of 20 key actions, or security controls, that CIS states are a “concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks.” It is a valuable checklist that you can also use to evaluate how your systems and strategies address major threats and vulnerabilities. Download the CIS Controls For Effective Cyber Defense V. 6.0 at https://www.cisecurity.org/critical-controls. According to CIS, organizations that apply just the first five can reduce their risk of cyberattack by around 85 percent, while implementing all 20 increases the risk reduction to around 94 percent.
A Lack of Strategy Will Cost You
Cyber-theft is on the rise, and so are associated costs. The Ponemon Institute 2015 Cost of Cyber Crime Study showed the mean annualized cost of cyber-crime per organization in the United States at $15 million per year; a 19 percent increase over the previous year. The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims.
The real cost of cyber-theft is the lost and damaged goodwill in the market – both customers and Wall Street are wary after any breach, and many companies struggle to survive. One good example is the breach at Target; years after the event the company still faces a number of government investigations and more than 80 lawsuits. As a result, Target continues to battle the negative impact on its reputation and loss of confidence of its customers.
What Can You Do?
The Department of Homeland Security suggests a few simple steps to keep personal information safe at work and at home:
Set strong passwords and don’t share them with anyone.
Keep your operating system, browser, and other critical software optimized by installing updates.
Maintain an open dialogue with your family, friends, and community about internet safety.
Limit the amount of personal information you post online and use privacy settings to avoid sharing information widely.
Be cautious about what you receive or read online—if it sounds too good to be true, it probably is.
Organizations can no longer afford to overlook the risk of sensitive data housed in an image archive, especially as demands for improved information governance increase. Criminals are becoming increasingly ingenious and sophisticated, and attacks are both more frequent and more complex. What should you do to move forward? Look for solutions that automate the redaction process, both going into the archive and when documents are retrieved. Look for providers and partners that provide the right mix of experience, vision, and advanced capabilities that leverage the full value of technology to battle cyber-theft.
Kevin Craine is the managing director of Craine Communications Group.
This article originally appeared in the November 2016 issue of Workflow.