By Lisa Simmons
Last year saw a spate of document security breaches and inadvertent leaks of sensitive information in Australia and globally that have left government departments reeling with thoughts of what the consequences could be if a similar thing happened to them.
In August 2005, Victorian Premier Steve Bracks said he was “sick and tired” of security breaches following revelations of incidents where classified files from the police database were inadvertently leaked.
In one Victorian case, a prison officer, who applied to see his police file, received 1000 files on other people, including the names and addresses of victims and alleged offenders. While the breach was due to human error and was not malicious, the damage it caused was far reaching with major legal ramifications.
“The inside-out threat is still not understood or taken seriously by enterprises and government agencies here in Australia,” said Andrew Pearson, vice president, Asia Pacific, Workshare.
“They don’t yet comprehend the considerable technical and business risks they face because they are focused on more widely publicised external threats such as viruses or hacking. But the threat from within has the capacity to cost departments millions of dollars in lawsuits, as well as unquantifiable damage to ministers and their agencies.
“Many agencies believe they have effective data governance policies and document integrity solutions. Frankly, many don’t. Their policies are flawed because the onus is on people to make manual document security and integrity checks, rather than using effective technology to do it for them automatically and transparently.”
Use and distribution of information
According to information management and eBusiness consultants iFocus, cultural issues were often the root cause of compliance problems such as leaked confidential information and disastrous process-related events resulting from misinterpretation of information.
Jason Kaminski, senior information management consultant at the company, urged organisations to build a culture of ‘information literacy’: an ‘information literate’ person understood the fundamental cultural, ethical, economic, legal and social issues surrounding the creation, use and distribution of information.
“Most employees are expected to create, use and manage information and make informed decisions,” he said.
“An information literacy framework should be standard for all people involved in the information lifecycle throughout an organisation.
“A common mistake is for business units to rely on IT departments to manage information, without enough emphasis on building information literacy throughout the whole organisation.”
Mr Kaminski said successfully managing information required a focus on two very different areas: technical tools and human behaviour.
Many organisations placed too much reliance on the technical side and were literally inundated with technologies for storing and managing structured data, he said.
“Database management principles have been around for a long time, and are usually founded on tested theoretical models,” Mr Kaminski said.
“Repositories of unstructured data, such as human communications, documents and images present a greater challenge because it is difficult to model human expression, thinking and language in a purely theoretical way.
“Business rules and procedures provide governance for managing information, but it is the people’s ability to understand and interpret those rules that often fails.”
In some cases, this may have disastrous results. A worst case scenario Mr Kaminski cited was the infamous 1988 Piper Alpha oil rig disaster, which claimed 167 lives. A subsequent enquiry found the documentation systems for managing technical maintenance were in place, but they were not followed or properly monitored. There was also a fatal flaw in the design of the permit-to-work system, which no one recognised until it was too late.
Errors of judgement
Avoidable privacy breaches, where confidential information is accidentally disclosed to the public, also present a considerable risk to most organisations. The recent controversy surrounding improper access to Victoria’s police database showed the damage leaked information can cause.
“A common reaction is to invest in more technology or to throw even more information at a problem. Organisations can reduce the risk of improper use of information more effectively by increasing their commitment to human information literacy,” Mr Kaminski said.
Organisations could protect themselves from making major errors of judgment by establishing rules and systems governing information use and management, and by appointing a governance team to manage these rules. But to be sure of success, Mr Kaminski believed organisations must consider their overall information management capability as an integral aspect of their organisational culture.
In particular, the cultural side of information management should be included in disaster recovery and business continuity planning.
“I am amazed that many organisations still overlook the complete picture when it comes to disaster recovery,” he said.
“An organisation will often take steps to perform the usual data and systems backup, but forget to protect the cultural knowledge needed to make the information accessible, usable and governable.”
In this way, information literacy assisted with both prevention and cure of disaster, according to Mr Kaminski, who believed the benefits of information literacy far outweigh the planning effort required to achieve it.
“Information literacy standards can be built into induction training and learning initiatives, and included in position descriptions and performance reviews, and so on,” he said.
Organisations remaining information ‘illiterate’ not only remained vulnerable to liability; they positioned themselves for data overload.
“Data overload is obviously a by-product of an information-based economy,” Mr Kaminski said.
“But you can’t solve information management problems by producing more information or building a new system. Sometimes less is more.
“Rather than feeding an addiction to information, we need to find ways of using the information and systems we already have more wisely.”
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter