What is the cost of poor information asset governance
By James Price, Managing Director, Experience Matters
- The past six month have shone a spotlight on information assets as a result of significant data breaches and the impact of artificial intelligence (AI).
- These events have highlighted the enormous challenges we face in how we govern, manage and protect our data, information and knowledge
- Organisations need to understand what information assets and liabilities they have, and how valuable and vulnerable they are
The cost of poor governance, both financial and societal, is escalating rapidly
The last few months have been exciting for those in the information assets industry. There have been two major developments which have put Information assets centre stage.
- Recent cyber attacks have resulted in extremely damaging data breaches
On 22 September 2022. Australia’s second largest telecommunications provider became the victim of a cyber-attack that resulted in the disclosure of their customers’ personal information. ‘With up to 9.8 million Australians having their personal details stolen…, customers have started voting with their feet – 10 per cent of those using their mobile service have left the company since the breach…[and]…56 per cent of current customers [are] ‘considering changing telcos as a direct result of the cyber-attack’, while 10 per cent had already done so, according to the annual EFTM Mobile Phone Survey’ (News Corporation).
It appears that the cause of the breach was IT using production data in a poorly protected test environment. One wonders whether the breach could or would have occurred if ultimate accountability for the quality, protection and exploitation of the organisation’s information assets had belonged to a single person as is the case for the organisation’s financial assets.
A private health insurer suffered a cyber-breach also disclosing personal data that ultimately found its way to the dark web. ‘…about $1.75 billion was wiped off the market value of Australia’s biggest health insurer after its shares resumed trading on Wednesday … [The] chief executive said the full extent of its remediation and compensation costs for customers would take time to become clear, but put the immediate costs between $25 million and $35 million’ (Australian Financial Review).
Further to these eye-watering costs, the Australian Broadcasting Corporation reported that, ‘Three law firms have joined forces to launch a data breach legal case against [the] health insurance company. This comes after the personal data of about 9.7 million customers was leaked by hackers last year. [Three law firms] have united for the case. The law firms say they will now pursue the complaint seeking compensation for those affected by the data breach’. Surely the shareholders are less than happy about that.
7.9 million drivers licence numbers and 53,000 passport numbers were stolen from a consumer lender which said that some of the documents stolen date back to at least 2005. A further 6.1m customer records were also stolen, of which 5.7m were provided before 2013. These records include information such as names, addresses, phone numbers and dates of birth. The chief executive officer said, ‘It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly’. Shares in the lender dropped more than 3 per cent in a day as traders weighed the potential financial and reputational costs to the company. The Guardian further reported that multiple law firms are investigating the viability of legal action and the Minister for Home Affairs is involved.
In November 2022, following these significant events, the Australian Government passed legislation allowing the Office of the Australian Information Commissioner to seek a penalty of up to $50 million for repeated or serious data breaches. In addition, the lender has promised that it ‘will reimburse those wishing the replace their stolen ID documents’, the market price has dropped and significant damage has been done to the corporate reputation.
These breaches underscore the fact that your information assets are both valuable and vulnerable. They highlight the importance of identifying and protecting your most valuable and vulnerable information assets and the cost of failing to do so. To protect your information assets, you must govern and manage them well. Governing and managing information assets requires far more than buying a new firewall. These breaches raise questions about how companies capture, create, use and store data and why many businesses hold on to old customer records. Old customer records are not assets, they are liabilities and the cost of those liabilities can be significant.
A number of more recent studies have shown that since the COVID19 pandemic:
- 44% of security incidents were caused by employees. (IDG Security Priorities Study 2021)
- 33% or more of all cyber incidents involve internal actors. And over 33 per cent included social engineering (Nixu 2021)
- 94% of organisations experienced insider data breaches in the last year (Egress Insider Data Breach Survey 2021)
- 88% of data breaches are caused by human error (Stamford University 2020).
These are important findings because they expose this as a business, not a technology, issue. A new firewall will not elicit the change in behaviour and corporate understanding required to address the issues being faced.
If you want to assess your own corporate information asset management and vulnerability, ask yourself these questions:
- What information assets does your organisation have and deploy? Is corporate knowledge treated as an asset?
- Which information assets are the most valuable? How is the value calculated?
- Which information assets are the most vulnerable? How is the vulnerability identified?
- Does your organisation treat its data, information and knowledge as a critical business asset?
- What governance ie, oversight and control do you exercise over these assets?
- If your organisation governed and managed its money the same way it governs and manages its information, what would it look like?
- Who is the one person accountable for making the information available to the right people at the right time? Who will be sacked if the right information is made available to the wrong people?
- Which of the organisation’s information assets are on the asset register?
- Which of the organisation’s information assets / liabilities are on the risk register?
- When does an information asset become an information liability?
- How are information asset s, including that data, information and knowledge that is no longer of value to the organisation, managed throughout their lifecycle?
- There have been some extraordinary technological developments, particularly in Artificial Intelligence
ChatGPT is taking the world by storm to which there have been some interesting responses. An article on the front page of The Weekend Australian was entitled, ‘Chatbot cheating alarms schools’. Here are a few lines from it:
‘Goodbye homework’ was the response of … Elon Musk, in a recent Tweet. ‘New York’s Education Department has already banned the use of ChatGPT on the grounds that it does not build skills for critical thinking.’ and ‘The [NSW Department of Education] is reassessing its assessment method — potentially requiring students to give verbal or handwritten responses to assignments…’
Our team at Experience Matters is in the middle of long and thoughtful debate about what ChatGPT is going to do to our business. One of my team says, ‘Our clients will not need us anymore. They will install ChatGPT and they will be able to find everything.’ My response is that finding information is only one component of managing it. There is no software in the world that can understand the context of its search and get the right data for itself. No software can understand the complexities of the organisation and determine for itself what the organisation does, the assets it deploys, who does what, the data, information and knowledge they use every day, the value and vulnerability of those information assets to whom, where to put them and what to call them, and when to destroy them, so the right information is made available to the right people at the right time.
There is a common theme emerging here. If you want to protect your organisation and if you want to make the most of your most valuable and vulnerable asset, you must govern and manage it properly. This requires:
- appointing, and making accountable for the quality of the organisation’s information asset s, a single person, like we do for financial assets. This is a job for the Board and CEO
- identifying your most valuable and vulnerable assets. This is not hard. Every person in an organisation can tell you what data, information and knowledge they use in their daily lives and
- thinking hard about the ethical considerations associated with your information asset s, whether that data, information and knowledge is created and used by either you or a third party. Make sure you understand the privacy provisions under which you operate.
James Price can be contacted on 0438 429 144 or by email at james.price@experiencematters.com.au
Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.