Over the past decade, information security has gone from being a domain of concern exclusive to finance and law firms, to a fast-evolving challenge that has ramifications for all parts of society and industry. While the online era has been a boon for those dealing with large amounts of data, it has also fostered the development of a new illicit marketplace for both digital and paper-based information due to the ease of duplication and dissemination. Information management has an important role to play in the effective security of physical and electronic information, with unique considerations in each sector.
In late 2016, Experian Data Breach Resolution released its fourth annual Data Breach Industry Forecast. In it, the company predicted that the industry hit hardest by cyber security breaches in 2017 would be healthcare. “Traditionally healthcare providers [have been] in the business of saving lives,” says Lee Kim, HIMSS director of privacy and security, “so [IT security staff] have a difficult time competing for budget dollars.” According to a Ponemon Institute study released in February 2016, almost half (48 percent) of healthcare organisations had experienced an incident involving the loss or exposure of patient information during 2015. This area of weakness also makes the healthcare sector vulnerable to ransomware attacks, which may not necessarily breach private records, but can shut down access to crucial patient data when it is needed most. The quality of a healthcare organisation’s information management can have a significant effect on its exposure to these digital intrusions, as well as the physical security of paper records.
A similar situation exists in the legal sector, where the importance of information security is underscored by the duty of confidentiality. “We’re seeing many other sectors becoming just much faster fish,” says Dave Coughanour, director of security and information management at K&L Gates. “It’s harder to hack into a bank, it’s harder to hack into a defence-contractor or critical infrastructure company, so hackers are shifting their focus to what they perceive to be the weaker link in the chain, which is why law firms need to ensure their cyber security systems are keeping up with other industries.” Law firms also deal with a large amount of paper-based information, which needs to be handled carefully. Paper files cannot be hacked, but they can be lost or stolen — something that increases in probability in relation to the use of certain retrieval and delivery methods.
Government agencies can often lag behind on security due to complex decision-making processes, tight budgets, and a greater focus on core competencies. The OAIC Community Attitudes to Privacy Survey Research Report 2013 found that public confidence in the ability of government to handle personal information had fallen since 2007 — with financial institutions now viewed as more trustworthy than government agencies. This is certainly understandable in light of the high-profile political data breaches that have been making headlines with increasing frequency since the 2010 Wikileaks scandal. It puts pressure on government agencies to not only tighten up any security loopholes but, perhaps more importantly, to prove to the public that sensitive information is being managed properly.
Finance companies have long been ahead of the game in physical and cyber security due to the tremendous costs of a breach, both in terms of direct monetary loss and reputational damage. However, as information security has become part of regulatory standards, the finance sector faces challenges in the form of compliance. Penalties for failing to maintain appropriate security can potentially be greater than the cost of a breach itself. While companies in the finance sector may be intimately aware of their security obligations, a weak information management system can make compliance more complex than it needs to be — and ultimately cost an organisation through significant fines and lowered efficiency.
Discover the solutions in Grace’s FREE in-depth information management report – available exclusively at www.grace.com.au/information/security
 Office of the Australian Information Commissioner, Community Attitudes to Privacy Survey, Research Report 2013.