Information Overload is a Myth

A search for the term “information overload” in Google returns 3.68 million results, the second of which is a good definition of the problem: “exposure to or provision of too much information or data.” Wikipedia expands on the issue by defining it as “…a term used to describe the difficulty of understanding an issue and effectively making decisions when one has too much information about that issue. Generally, the term is associated with the excessive quantity of daily information.”

While the definitions are accurate, the fundamental issue with information overload is not really a problem with having too much information. Instead, it’s that we don’t have information curated in such a way as to present a limited set of the right information. For example, when I type “who starred in the movie grand prix” into Google, the first thing that shows up are photos of the cast. Google also provided many pages of additional search results, but curated a limited set of options that were most relevant to my inquiry, and it was the first one that satisfied that query. So, if Google had returned 300,000 other links and images, I would not have been overloaded with information because I could disregard everything but the right answer presented to me at the top of the list.

Similarly, if I need to find an email I sent to a prospect three days ago, does it matter if I have 36,745 emails in my inbox if my search returns just the email I was seeking? Not really.

So, what we’re really talking about with information overload is a lack of good search and good curation, which often begins with inadequate archiving of the right information. In the workplace, that lack of good search, curation and archiving manifests itself in a number of ways, most notably in the amount of time that employees spend searching for information. For example, a Software Advice survey found that some employees spend at least six hours per week searching for paper documents. A McKinsey report discovered that employees spend an average of 9.3 hours per week searching and gathering information. When it comes to information that is even more difficult to find, such as the job and client experience of my fellow employees that I might bring to bear on solving a problem, it may take even longer to find this information, if I can find it at all. Add to this the problem of information held in various silos across the enterprise and the situation becomes untenable, leading to regulatory, legal and employee productivity problems of various types.

Consequently, information overload really is not a thing — but inadequate search, curation and archiving definitely is.

Your Most Important Information Silos

I had the pleasure of attending Igloo Software’s annual ICE conference in San Antonio last week. The conference was very well run and held in a beautiful venue in the Texas hill country, and was something of a cross between a tech conference, a seminar on HR issues, and a symposium on the future of work. Very definitely time well spent and next year’s conference in Las Vegas will be free — Igloo’s president has even invited the company’s competitors to join the conference!

Igloo is in the business of providing a “digital workplace” — a digital destination that allows employees to get information, share information and integrate a growing variety of corporate tools like email and file sharing into a centralized, cohesive experience. One of the fundamental goals of the Igloo platform is to significantly reduce the friction that exists in the traditional employee communication and collaboration experience that relies on email, file-sharing platforms and other less-than-ideal collaboration tools. Using  the Igloo platform, employees can blog, share documents, find people within the company, manage tasks, share calendars, search for information and perform a wide range of other activities.

The ultimate goal is to improve employee engagement, which most all senior managers would acknowledge is valuable, but which too few prioritize with the resources necessary to make it happen. For example, a Towers Perrin study found that only 21 percent of employees are “engaged” on the job, eight percent are fully disengaged, and the rest are, at best, only partially engaged. Yet the more employees are engaged, the less likely they are to leave their employer, the lower their rate of absenteeism, the less likely they are to make mistakes on the job, and the more likely they are to please their customers — all of which results in lower costs and higher revenues.

One of the key benefits of Igloo’s digital workplace and solutions like it is the ability to reduce the negative impact of information silos. We hear lots about information silos in the context of physical repositories like email, CRM, ERP, HR systems and the like, and how these silos are proliferating as more cloud-based solutions are employed. Siloed information results in higher costs and more mistakes for activities like eDiscovery, litigation support, regulatory compliance or even just informal searches for data. Imagine, for example, conducing a Subject Access Request under the GDPR and you had 250 different silos of information to search through to find the requested information.

But what about your most critical information silos — the ones who go down the elevator shaft every night? Your employees are incredibly valuable sources of information that can provide enormous value above and beyond just what they do for your company — what they know that is not directly related to their job is also valuable. For example, what if Bob the salesman is trying to sell your company’s solutions to XYZ company. Would it be useful for Bob to know the decision influencers in XYZ that don’t show up on the organization chart and that might not have been at his introductory meeting? Maybe Alice the purchasing manager, who used to work at XYZ, might be able to provide some insight on who these influencers are. But if Bob and Alice don’t work together or even know each other, how is that going to happen? A digital destination that includes information on employees’ past experience can be the type of tool to bring employees together by breaking down the personal silos of information that we all possess.

Plus, a key value of a digital destination shared by most or all of the employees in a company is that it can bring people together in unexpected ways. For example, maybe Bob and Alice share photos of their pets or details of their river cruise down the Danube on the corporate digital workplace. That might be the catalyst that could start a conversation between the two that might end up providing useful information for Bob as he tries to sell into XYZ. At a minimum, a digital workplace enables a freer flow of information than would otherwise be possible and, hopefully, will make employees more engaged.

An Interesting Approach to Encryption

Encryption is essential for communications and files that contain sensitive or confidential information, and it’s important on a number of levels:

  •  Users and their employers need to protect sensitive content like intellectual property, trade secrets, marketing plans, and even content like embargoed press releases when sent through email or stored in the cloud.
  • They also need to protect content that is subject to privacy regulations like the GDPR in order to avoid running afoul of their regulatory obligations.
  • Cloud providers need their customers to use encryption to prevent governments from successfully accessing confidential files: if customers’ files are encrypted and therefore inaccessible to providers, that effectively lets them off the hook, since they have no access to their customers’ content.

PreVeil has released an interesting technology that is designed to encrypt users’ emails and files. The system offers end-to-end encryption of content using the Curve 25519 and XSalsa20 ciphers, including email subject lines and file names (FIPS-compliant algorithms are also available). Every email and document sent through PreVeil is encrypted with a unique key and no key is ever visible to the server that stores the information. Users each receive a public/private key pair, with the public key stored on the server and the private key stored only on each user’s individual devices. All document creators digitally sign document keys to ensure the authenticity of the content they’re accessing.

A unique feature of PreVeil’s encryption technology is its use of “Shamir Secret Sharing”, a technique that allows the distribution of users’ keys among what PreVeil calls an “Approval Group”. Each user’s key is cryptographically fragmented and distributed among members of the group. While each of these fragments are stored by PreVeil on its servers, the keys used to decrypt each fragment are not stored in a central location. This provides an extra level of security that can help to prevent damage resulting from the takeover of an administrator’s privileged account.

PreVeil is designed to integrate with various email clients, including Microsoft Outlook and Apple Mail, and also offers PreVeil Drive, which the company bills as an alternative to Dropbox, OneDrive, Box and other file-sharing solutions.

Pricing for PreVeil varies from free for individual users that offers one gigabyte of storage, to $10 per user per month for 100 gigabytes of storage, to $20 per user per month for corporate users (five terabytes of pooled storage).

More information on the company is available here.

 

Went From Windows to Mac, Now Thinking of Moving Back

Back in 2006 I made a decision to move our business to the Mac. I liked the elegance of the Mac’s design and how everything “just worked” in a way that Windows — at least at the time — didn’t. Subsequent introductions from Apple proved me right: the iPhone, the iPad and Mac desktops and laptops work very nicely together. I can answer and receive phone calls, send and receive text messages, share passwords, and share data easily on any Apple platform. My iPhone, iPad and MacBook Pro will remember all of my Wi-Fi connections and reconnect automatically whenever I revisit a location. The interfaces are all elegant and well designed.

But then Steve Jobs passed away and, apparently, Apple’s almost maniacal obsession for good design did as well, albeit more slowly. The Mac still works, but just not as well anymore. The company has shifted focus to the iPhone and iPad, even more or less dismantling its Mac team back in 2016. New versions of MacOS are more like point releases, offering interesting new features and functions, but many are more gimmicky than they are useful. While not Apple’s fault, Microsoft Office 2016 is a major step backward compared to Office 2011, but users are more or less forced to “upgrade” because of Microsoft’s end-of-support for 2011.

While I still like the Mac, a recent failure of my iMac’s Fusion Drive (Mac’s combo of a solid state drive and conventional hard drive) has served as something of a trigger and brought me to the point that I am now seriously considering going back to Windows. The drive started failing in late June and failed completely in late July. Since I don’t have on-site service available from Apple (more about that below), I took it to my closest Apple Store. The iMac stayed there overnight and was diagnosed with a software failure that connects the two parts of the Fusion Drive. After Apple “fixed” the problem, and after completely reinstalling MacOS and all of the applications, everything was back up and running…for 11 days. A couple of hours on chat and the phone with Mac technicians resulted in the same recommendation: we will have to bring the iMac back to the Apple Store for diagnosis.

The good news: Apple offers on-site service. The bad news: in order for Apple to authorize on-site service they need to know exactly what’s wrong with the computer so the technician can bring the one part that needs replacing. And in order for them to know which part the technician needs to bring, the customer first has to bring their computer to an Apple Store to have it diagnosed. I doubt that most Apple Support personnel have ever read Joseph Heller’s Catch-22, but Apple’s on-site support policy certainly embodies its primary theme.

So, we are at a bit of a crossroads: stay with a Mac ecosystem that is in decline, or go back to Windows that, by all accounts, is much better than it was just a few years ago? I’d enjoy hearing your opinions.

Security Defenses are Not Adequate

We have just completed an extensive survey of security and compliance professionals in mid-sized and large organizations, asking about the current state of their cyber security defenses. We will soon be publishing a white paper discussing the results. Here’s a bit of what we found:

  • Fifty-five to 58 percent of organizations admitted that they are not fully protected against security threats like payment scams, spear phishing attacks and email spoofing.
  • Four of the top five concerns that security and compliance professionals have in the context of their organizations’ cyber security are focused on email-related threats.
  • Sixty-five percent of security and compliance professionals admitted that their organization has suffered a successful attack and/or data breach during the past 12 months, with the most common being a phishing attack successfully infecting systems on their network with malware (28 percent), and a targeted email attack launched from a compromised account successfully infecting an endpoint with malware (25 percent).
  • Corporate executives represent 16 percent of the attack surface in the typical mid-sized and large organization, despite the fact that they account for only two percent of the total number of employees.
  • Forty-two percent of those surveyed told us that their anti-ransomware defenses are either not improving the catch rate for ransomware attempts over time or the catch rate is actually going down.
  • Only 28 percent of those surveyed believe that their end-user training regimen focused on web surfing best practices is “very good” or “excellent”; only 39 percent believe that their user training for detecting and addressing phishing and other unwanted emails is this good.
  • The average cyber security budget will increase by 7.4 percent in 2018 compared to last year; 67 percent of organizations are increasing their budget and only two percent are decreasing it.

Please let us know if you’d like an advance copy of the white paper.

Here are some upcoming security conferences that should be on your radar:

Preparing for the GDPR

The European Union (EU) will put the General Data Protection Directive (GDPR) into effect on May 25th, and with it some potentially difficult and onerous requirements. Here are a few potential issues with which companies worldwide will have to contend:

  • Article 7(1) of the GDPR states, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” That means that anyone who signs up for a mailing list, a webinar, an email newsletter or any other type of communication from you will need to be fully informed of the “processing” that their data will undergo, and you will need to keep an accurate record of each instance of consent that has been granted. For example, someone who signs up to be on your corporate emailing list is granting consent for their information to be used strictly for the purpose of receiving email from you – you need to maintain a record of that consent. If they sign up for a webinar that you have announced to them in an email, they are granting consent to be contacted with regard to that specific webinar – you need to maintain a record of that, as well.

    Our recommendation: excellent and up-to-date recordkeeping is going to be of paramount importance in order to remain compliant with the GDPR. That means good archiving of data subjects’ information, including the ability to search for and retrieve this information quickly and completely, and the ability to defensibly delete this information when needed.

  • Article 22(1) requires that a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” and that includes their “location or movements” (Recital 71). What that likely means is that there is a prohibition on determining whether or not someone is an EU “data subject” based on things like their IP address when completing a form on your web site, for example. So, if someone who lives in the United States is on your corporate mailing list, where their information is not subject to GDPR compliance, but later moves to an EU country, where their data is now subject to the GDPR, is the onus on you to know they’ve moved? According to a strict interpretation of Recital 71, you’re not allowed to collect their IP address when they interact with you, and so you may not be able to determine that they have moved.

    Our recommendation: act as if everyone is subject to compliance with the GDPR and process information accordingly.

  • Articles 12 through 23 of the GDPR are the “Rights of the data subject”, which include things like their right to access and have corrected any information that a data processor or controller has on them, and their right to have that information deleted – their “right to be forgotten” – albeit with certain limitations. There are some serious implications for data controllers and processors in these requirements:

You need to know where all of your data is located. Data subjects’ information that might be stored on a departmental file share to which IT or legal does not have ready access, information stored in employees’ personal Dropbox accounts, or information stored on ex-employees’ personal devices could make it difficult or impossible to respond adequately to a data subject’s request for information or their right to have this data corrected or expunged.

Even with access to all of your data, an organization with malicious intent could organize a group of a few thousand people to request their data simultaneously. Given that the GDPR gives data processors and controllers only one month to comply with these requests (up to three months in some situations), an organization with inadequate content management systems in place could easily run afoul of the GDPR.

Our recommendation: conduct a thorough data inventory to determine where all of your data is located, give IT access to it, and implement a robust and scalable archiving capability that will enable all corporate data to be searched and produced quickly and with a minimum of effort.

Many thanks to Anne P. Mitchell, an Internet law and policy attorney and legislative consultant, for her input to this post. Her firm is offering consulting on the legal aspects of the GDPR – you can contact her here.

For more information on the GDPR, you can download our most recent white paper here.

How Long Should You Retain Records?

We have been asked many times how long businesses should retain their records, whether in email, files or other venues. The simple answer to the question is that there isn’t “an” answer. Instead, there are a number of issues to consider in determining how long you should retain your records:

  • What does your legal counsel advise?
  • What have court decisions in your industry revealed?
  • What is your organization’s tolerance for risk?
  • What are the consequences of disposing of records too quickly versus keeping them for too long?
  • What do government and industry regulations require as minimum retention periods?

To address the last question, we are assembling a database of regulations focused on data retention. We published the first edition in December with 421 regulations, but will be publishing the next edition in March with approximately 1,000.

Here’s a sample of the types of data retention regulations that exist today:

  • Manufacturers and importers of chemicals must retain documents related to notification of risk, contact information about entities to whom chemicals are distributed, production volumes and other information for three to five years (40 CFR 82.13).
  • Entities that operate as swap data depositories must retain records related to swaps or related cash or forward transactions for a period of five years, the first two years in an easily accessible place, but records of oral communications may be kept for only one year (17 CFR 1.31).
  • Underground mine operators must retain certifications for safety equipment for one year (30 CFR 57.4201).
  • Anyone who imports nonroad and stationary engines must retain documents supporting the information required in EPA Declaration Form 3520-21 for five years (19 CFR 12.74).
  • Entities that operate air curtain incinerators that burn yard waste must retain records about all opacity tests for five years (40 CFR 60.1455).
  • Manufacturers of heavy-duty vehicles and engines must retain records estimating how their fleets will comply with GHG emissions standards; estimated vehicle configuration, test group and fleet production volumes; expected emissions and fuel consumption test group results and fleet average performance; and other information (49 CFR 535.8).
  • The Canada Revenue Agency (CRA) requires entities subject to various sections of the Income Tax Act, the Employment Insurance Act and the Canada Pension Plan to retain for two to 10 years any books and records that will permit the CRA to determine taxation, the qualification of registered charities, permit the verification of various types of donations, etc. (CRA Information Circular IC78-10R5).

There are two key takeaways from this:

  1. There is no such thing as an “unregulated” industry or company in the context of data retention: every business in every industry must retain records for some length of time.
  2. Data retention is not easy, particularly in the context of being able to find archived records, disposing of them properly, and migrating them to new archives and other information platforms. The technology used to archive, search for and migrate records is critical.

For more information on our Data Retention Requirements Guide, click here.

What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and IBM has integrated Watson with Alexa/Google Home, to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

The Impact of the GDPR on Cloud Providers

We just published a new white paper on the European Union’s (EU’s) General Data Protection Regulation (GDPR) and will soon be publishing the results of the two surveys we conducted for that white paper.

In the second of the two surveys we conducted, we asked the following question: “Will your organization increase or decrease use of cloud technology as a result of the GDPR?” We found that 50 percent of respondents indicated they would do so, 39 percent said there will be no change, six percent said they didn’t yet know, and only five percent said that use of the cloud will decrease. That tells us a few things:

  • Many decision makers are still unsure about how they’ll deal with the GDPR. A thorough reading of the regulation, as with most government rules, leaves room for interpretation. For example, if data on an EU resident is subject to a litigation hold in the United States and the EU resident exercises his or her right to be forgotten, should the data controller violate its obligations to retain the data or violate the GDPR? That uncertainty will lead many to seek the assistance of third parties, many of which will be cloud providers that have more expertise in dealing with these kinds of issues.
  • Many organizations will pass the buck to their cloud providers. Because many organizations are simply not sure about how to deal with the GDPR, particularly smaller ones that can’t afford a team of GDPR-focused legal and compliance experts, they will rely increasingly on cloud providers who they anticipate/expect/hope will navigate the intracacies of the GDPR on their behalf. We believe that will accelerate the replacement of on-premises solutions with those based in the cloud.
  • Consequently, the choice of cloud providers will become extremely important. Since a cloud provider that inadvertently violates key provisions of the GDPR while working on behalf of their clients will not be a shield from prosecution, GDPR savvy will become a top priority when selecting new, or staying with existing, cloud providers.
  • The new ePrivacy Regulation that will supplement or replace key provisions of the GDPR will impose significant usability restrictions on even simple activities like web surfing. For example, it is very likely that web site visitors will need to grant permission for each and every cookie dropped into their browser when visiting a web site, yet that web site operator will not be able simply to block content for those users who do not grant permission. This will make the choice of a web host extremely important in order to comply with both the GDPR and the ePrivacy Regulation.

In short, while the GDPR increases privacy protections for individual users in the EU, it is increasing the risk for those that wish to provide content to them. Many companies, particularly smaller ones, will seek to mitigate that risk by handing it off to cloud providers.

You can download our newest GDPR white paper here, and get more information on the ePrivacy Regulation here and here.

How to Protect Corporate Data When Employees Leave

A key part of employment – particularly in a good economy – is that employees leave employers on a regular basis. According to data from the US Department of Labor, mean turnover among US-based employees in 2016 was 23.8 percent. That means in an organization of 1,000 people, nearly one-quarter of them will quit or otherwise be terminated during a year’s time, or about 20 people per month.

How do employers ensure that departing employees don’t take important data assets with them when they leave? The answer, it turns out, is that they don’t protect against this eventuality. Our research found that for many organizations, information governance policies, practices and technologies focused on data protection are not well implemented, if they are implemented at all. This puts these organizations at significant risk from employees who either quit or are terminated involuntarily and take with them key data assets, such as customer lists, trade secrets, financial projections, or various types of intellectual property.

Here’s what we found in a recent survey:

  • In only 48 percent of organizations can HR data be relied upon to determine when someone is going to leave a company.
  • Only 33 percent of organizations are sure they can detect if an employee that has left the company is still using their access to corporate data.
  • In only 16 percent of organizations does HR take the lead in ensuring that access to data sources, devices, accounts, etc. is disabled for departing employees.
  • Only 24 percent of organizations know when third parties stop working on their systems and data, and only 12 percent know if employees or third parties are sharing access to data through the same account, bypassing any terminations processes.

There are several processes and technologies that organizations can implement that will enable them to gain visibility and retain control over their sensitive and confidential data assets, while assuring that employees are not leaving with these assets. There are a number of technologies that can be implemented to protect corporate data from exfiltration by departing employees, but a governance-based model for user lifecycle management and access management can provide organizations with a high degree of assurance that only the right employees have the right access to corporate data at the right time.

For more information about these issues, please feel free to download our white paper, Protecting Corporate Data When Employees Leave Your Company.