In the world of business, reputation matters. Being the victim of a cyber-security breach quickly erodes confidence, particularly if you or your organization is in the business of keeping information secure.   Hackers know this, and are increasingly targeting high profile players in the security world.  In the past few months, both the US Director of Intelligence and the CIA Director have had their personal email accounts hacked.  While both have downplayed the information that was compromised, the media have made a big deal out of the events.

There are two lessons to be taken from these breaches.  First, hackers can get you if they want.  Even with good hardware and software protecting your information, you remain vulnerable.  The vulnerability is caused, in part, by weak passwords (the two most common passwords are “123456” and “password”) and gullible humans who click on pfishing emails, or give out passwords to strangers posing as service providers or customers.  Education and training are helping to address this, but it remains a serious problem.

The second lesson is that the harm to reputation can be disproportionate to the harm caused by the leak.   Why?  Because if some of your information has been compromised, the insinuation is that all of your organization’s information is at risk.  So, if you are breached, how will you respond?  Can you confidently say “we know what we have, where it is, and what has happened to it?”  Probably not.

If you are like most organizations, information governance is on the “to-do” list.  All organizations prioritize information governance AFTER a breach.  If you are serious about protecting your reputation, being proactive about information governance is a good investment.   A strong information governance program can help to reduce harm, and restore confidence in the event of a breach.