Openness is not an endpoint, it’s a process that involves compromise. Even organizations that emphasize transparency must strike a balance between openness and security.
Data security is based on what and how much each person or department needs to know, including extending some level of privileges to employees working remotely as well as outside partners and suppliers.
Companies whose corporate culture allows greater sharing may be reluctant to revoke or reduce those privileges, fearing resentment if employees suddenly don’t feel trusted. This reluctance needs to be reconsidered given the realization that cyberattacks occur constantly and are becoming more sophisticated with every iteration. The growth of regulations, with the potential for severe penalties provides another level of pressure to lock your data down.
The first step to creating appropriate information sharing parameters –who, what, when, where, and how – requires knowing the information itself. What information is being created and used on a regular basis within the organization? How valuable is that information to daily operations? How damaging would it be if that information were to leave the organization? Who needs to know that information and from whom should it be protected, both within the organization and without?
Once the information is fully known from all perspectives, then it should be classified. How valuable or critical is it? For how long will it be valuable? Is it personally identifiable information? Financial data? Who should be accessing it? Who shouldn’t? When does it importance to the organization diminish? Does it diminish? By answering these questions, the information can be classified appropriately.
Now is the time to get employees involved. Educate them about why it’s being done and reinforce their role. Ask them to participate in the discovery and classification process. After all, no one knows the information better than they do.
OK. Now you have knowledge and classification. The next steps – ongoing visibility and governance. You know what the information is, how it should be used, and how it is classified – at a single point in time. Information is dynamic, and you need to have an ongoing picture of its usage as well as the ability to govern and track the usage, receiving alerts when things are not as expected and receiving reports on a regular basis when they are.
The goal is to maintain the open knowledge-sharing atmosphere that you’ve worked so hard to develop while increasing security without damaging morale. Given the widespread knowledge of well-publicized hacks, employee buy in may be much easier than you realize.