Of the many fads and three letter acronyms scattering the annals of the technology odyssey, two have emerged as key components on any CIO’s top 10 list of strategic positions, namely: big data and cybercrime.
The increasing amount of client sensitive data amassed by law firms, the move to an ‘everything online’ digitalisation model, and the historic relatively low cost of storage, has created a huge online stockpile for law firms that has put ‘big data’ management firmly on every firm’s risk register. Buying disk space is only part of the equation. Making this data safe is a critical issue, which means understanding the data and ensuring it is secured and ready to be recovered in the event of adversity. Further, retention policies need to be overlaid to ensure that when the regulator comes knocking, there is not too much or too little information buried in disks spread across your firm.
Few would disagree that the data explosion generated by every business is overwhelming. According to the IDC, the world’s data is doubling every two years and equates to 1.8 zettabytes (1.8 trillion gigabytes), a figure which has subsequently been revised to a staggering 2.8 zettabytes.
And it shows no signs of slowing. Data comes from mobile, internet and traditional sources and people are evolving from information consumers to producers by creating their own data. The exponential growth of data and its connectedness has increased compromise incidents, taking us into the darker side of big data – cybercrime; something that makes little distinction between large or small businesses.
Cybercrime is not just about businesses being under threat from fraudsters or those looking to cause heavy disruption. It is now a well organised and highly professional industry. So what can be done to attempt to manage it?
1. Put in place a risk management committee to review and manage the risks and connect this to the board. Ignore data management and security at your peril. If the regulator comes knocking there won’t be much sympathy for those showing no awareness or competence.
2. Establish ownership for data protection and information security and make it responsible to the risk committee. Put in place simple but effective data access policies and controls to systems and key data, and detail who should have access to what.
3. Understand your data. Where is your business data and your client data? Design a data strategy or, at least, start with a workable retention policy that covers both paper and electronic material.
4. Take advice around your IT security position to ensure you have a reasonable level of defences against external attacks and malware. Also activate regular penetration tests on your systems.
5. Take an honest view of your capability and consider moving data and applications to a competent cloud operator. Cloud operators of substance make security a centrepiece of their proposition and commit more money to the matter than you could possibly do.
6. Obtain the Information Commissioner’s Office (ICO) guide for small and medium sized businesses, which shows a series of clear, practical steps to help make your IT systems safe and secure.