Once upon a time, not that long ago, computer networks were relatively secure because they were cut off from the public.  They existed within the organisation and were not connected to other organisations or the world as they are today.  The worst fears were about the introduction of computer viruses through the use of foreign media such as floppy disks!

However, things have changed considerably and today we are connected to the world via the internet and with that connection, unfortunately, has come a rise in the levels of malicious activity.  There are targeted cyber attacks, intellectual property theft, internet scams and phishing exercises just to name a few; all of which are malicious in nature and that unsuspecting end users continue to fall prey to.  The object of many of these attacks today is to obtain information that the attacker is not entitled to have access to.

The most important asset an organisation has, I believe, is its information.  Businesses can re-build workforces if they have their corporate information but the reverse is almost impossible which has been discovered when tragedies have occurred in the past decade or so.

Information can take many forms including being digital or paper-based, spoken or intellectual information (knowledge) acquired by individuals, that is created, presented, read, spoken, processed and/or maintained.

One of the most common fallacies in organisations relates to the ownership of information and the responsibility for its protection or security.  Information Security is often seen as the bailiwick of the records management team and is, therefore, completely misunderstood.  It pertains to the information contained in records stored in the records management system but is not solely the responsibility of that team.  So whose responsibility is it?

The protection or security of information is the responsibility of every individual in the organisation that handles that information.   In other words, everyone is responsible for the information that he/she creates, stores, transmits, maintains, manages and finally destroys.

Records Managers are the custodians of information, not the owners – another fallacy.  The business owns the information and is responsible for determining the criticality, confidentiality and sensitivity of the information which in turn dictates how it should be protected.

Commonly, there is a lack of governance and policy around the protection of information in many organisations. Given the growth of electronic communication and information the more important proper strategic oversight becomes in corporate life in relation to protection of information assets and corporate reputation.  In today’s digital always ‘on’ world it is important for organisations to grow a culture of security to assist in the understanding of how individuals protect or secure corporate information assets appropriately.

While some threats to information can be protected by the use of technology, it is the people within organisations who need to understand how threats and dangers to information can arise and they, together with the use of appropriate technology, provide the best defence. The best security technology in the world will not secure information assets if the people who work with that information do not understand that it is their responsibility to secure it!

What we want is for information security to gradually become enshrined into the day to day practices of each individual within the organisation and these practices to become integral to everything that each individual in the organisation does.  And the ultimate goal is that protecting information is just something that we do without thinking about it.  So the culture that began as an intentional culture of security works towards becoming an unintentional culture of security – the security utopia.  This, in many respects, is what we have seen happen in Australia, over the past 20 or so years with Occupational Health & Safety.  Why shouldn’t it also be so for our most valuable corporate asset? 

It was Thomas Jefferson who told us that “Information is the currency of democracy”.  If information is indeed the currency of democracy then we must surely secure for it and protect it appropriately.

Jo Stewart-Rattray is Director of Information Security & IT Assurance at accounting and advisory firm BRM Holdich. Jo has 25 years’ experience in the IT field some of which were spent as CIO in the Utilities space, and 17 in the Information Security arena. Email: jsr@brmholdich.com.au