The Management Role in Protecting Corporate Data Resources
| Date | 01 May 1986 |
| DOI | https://doi.org/10.1108/eb057442 |
| Published date | 01 May 1986 |
| Pages | 16-17 |
| Author | Roy Carter |
| Subject Matter | Economics,Information & knowledge management,Management science & operations |
The
Management
Role
in Protecting
Corporate
Data Resources
by Roy Carter
Business Author
Few people would disagree that the possession, exclusivity
and application of knowledge are the most vital aspects of
all forms of business activity, but the protection of corporate
knowledge often receives insufficient management atten-
tion.
Typically, the reason is confusion over who is respon-
sible for safeguarding data systems, a deficiency that can
have very serious consequences. Without knowledge, or
data,
no corporate function would be possible, and without
adequate protection neither would it be possible to acquire
or maintain a commercial advantage over those who do not
possess it. By the same token, effective data protection in-
cludes self-protection in the more immediate sense of
preventing its misinterpretation or the misuse of the means
employed for its collation, storage and dissemination.
In a very real sense,
then,
the efficient management of in-
formation is a requirement not merely of business success
but of business survival. It is for this reason surprising in
the computer age that the many benefits accompanying the
adoption of an electronic data processing (EDP) system are
often allowed to obscure the equally overt dangers. Thus,
the effortless ability instantly to transmit and share data is
frequently seen not as a valuable option but almost as an
unavoidable feature. This common security fault is tanta-
mount to the medium taking control of the message. In the
same way, classified information that would once have been
rigidly controlled is left carelessly on the desk top inside its
innocuous floppy disk, its vulnerability seemingly hidden by
the unfamiliar packaging. Yet more threatening, unedited
data entered without adequate input standards assumes an
automatic "computer-supported" status, quite regardless
of its actual origin or reliability. The result is that under-
developed control procedures and lax supervision allow in-
efficient practices to thrive, often to the degree that they
actually influence corporate decision making. The
possibilities are as numerous as they are fearsome.
The damage potential from this kind of misuse of data
resources can only increase as the growth of the microcom-
puter industry carries EDP into every corner of the business
world and as greater technical versatility creates
dependence. In this fashion, what began as an aid to
prod-
uctivity becomes at the same time indispensable and an
unrecognised threat. The mismanagement of the facility
thereby causes harm by the very fact of its day-to-day use,
and the degree of dependence is such that equal or greater
harm would ensue from its permanent or temporary loss.
Catch 22!
Of course, neither of these scenarios is inevitable, but many
companies new to EDP fall into the trap without even know-
ing that it exists. The only way out is through effective EDP
security, which, contrary to popular belief, is not merely a
technical matter. Nor is it confined to the prevention of fraud.
A large part of EDP security is user education, which in-
cludes protection from some of its effects as well as pro-
tection of the system's integrity. Its importance is such that
it transcends most other aspects of the corporate ad-
ministrative structure, if not all of them, and becomes a mat-
ter of fundamental policy which can only be properly ad-
dressed from the boardroom. In no way is the physical pro-
tection of hardware enough, for it is from authorised users,
not interlopers, that the commonest threat emanates.
Instead,
good data security and the prevention of data
misuse involves a basic re-evaluation of the conduct of many
routine procedures. The massive changes brought about by
EDP must be mirrored by equally significant changes in the
way data is controlled if the new medium is to be safely
assimilated. It follows that these two areas of change must
be allowed to develop side by side. Overnight results are im-
possible, both because of the complexity of the subject and
its wide-ranging impact. The protection of EDP resources
must, therefore, become part of a structured corporate
plan,
clearly enunciated and divided into
long-
and short-term
objectives.
These objectives
will,
naturally, include purely physical
measures, but only as the visible tip of a far more extensive
effort. The protection of the data itself, its storage and com-
munication, as well as its administration, must be the sub-
ject of in-depth review.
It has to be realised from the outset that the old-fashioned
idea of security as a last-minute addition is no longer ap-
propriate, if it ever was. For worthwhile results to be achiev-
ed,
it must be incorporated into the total programme of
16 IMDS · MAY/JUNE · 1986
To continue reading
Request your trial