The National Archives is one of the largest national databases in the UK, storing and preserving governmental record dating as far back as the 11th century and the Domesday Book, the oldest public record in England. Martin Fletcher, Training and Liaison manager for the Information Management Department at the National Archives works with government staff at all levels providing communication and training on how to correctly handle and protect sensitive information, and build a secure culture among staff. Ahead of his talk at the Cyber Security Summit, he shared his thoughts on how Cyber Security intersects the world of Records Management.
The Information Management Department at the National Archives “focuses on the role Records Management plays in ensuring that data is stored and processed securely”, Martin says. The crux of Records Management is, in effect the ability to answer the key questions about your organisation’s information, whether a public body or private company – “What is it? Where is it stored? Who should be able to access it? What consequences are there if it gets lost?” With a robust Records Management process able to address and answer these key questions, the information held by the organisation can be correctly handled and the business alert to the threats and vulnerabilities they may face, preparing them effectively to respond “when, not if, an incident occurs”.
How then, do organisations develop this process? In order to reap the benefits and keep their information secure? One of the main challenges faced by organisations according to Martin is the implementation of that effective Records Management process. “This involves setting up governance structures that define which individuals are responsible for which information assets, and making sure those key questions (above) are brought together using a tool such as an Information Asset Register”. Offering solutions, Martin suggested that the challenge is best approached “with a joined-up implementation plan, within a set timeframe, with input from information professionals across the organisation”.
Martin makes a point of the similarities between government and private industry – all organisations be it public or private, hold information, and while its nature may differ, its value to the organisation remains high. Offering wider advice to businesses on how his work with government can be applied to their practices as well. A good starting point for an organisation is to consider what would happen if these information assets were compromised, thus allowing an organisation to identify it’s “crown jewel assets”, the two or three areas of information which are capable of causing severe harm if afflicted. Understanding what exactly these key assets are, and how to protect them effectively is critical information in the establishment and maintenance of the Information Asset Register that Martin recommends.
Casting his eye to the future, Martin predicts that a cultural shift for Information and Cyber Security, no longer being viewed as an “IT problem”, will occur. This change represents a positive move towards a more holistic and business-wide approach, “ensuring all staff are full partners in protecting and using information effectively”. Reinforcing this point, Martin draws parallels to the attitudes in business towards health and safety, an area that has already seen a transition from superfluous concern to a core part of the job for the entire workforce. Staying in the realm of prediction, the role of phishing emails provided Martin with cause for concern. Martin drew attention to the growing trend among criminal circles of phasing out mass-phishing emails with smarter, more targeted attacks to exploit specific, high value targets, a trend Martin warned will only continue to grow.
Offering some help in countering this threat, and developing the resilience of the organisation, Martin suggests two key methods – organisation wide communication, and fake-phishing operations to alert staff to the dangers they may be faced with. Some organisations, Martin says, use this tool to monitor response rates among staff, encouraging a more honest culture where mistakes are reported to the security team. Martin even admits he himself has fallen victim to his organisation’s phishing drills in the past. With successful tools in place then, communication is still an essential to achieve the requisite levels of security. Martin drew the interview to a close by encouraging cooperation between Cyber Security and Records Management professionals, citing their joint role in protecting information, highlighting that “Close communication ensures that guidance for the organisation is not only coherent, but addresses the concerns of both professions”.
Martin will speak at the Cyber Security Summit and Expo on the 16th November at 3:45pm, Seminar Theatre 3. Catch his talk there, or find out more about his work at the National Archives at their website.