Investing in data governance: more than a necessity

by Florian Delabie - Information Security Consultant
| minute read

Data has been labeled the “new gold” – and rightly so, for it definitely is an asset for value creation. Yet, strangely enough, data governance is still frowned upon as a necessary evil in many organisations. All too often it is merely regarded as a chore to be suffered rather than a set of tools and practices with value-creating potential. Helping organisations recognise and realise that potential is therefore a fundamental part of my team’s mission here at Sopra Steria Benelux.

Don’t get me wrong: data governance is an absolute necessity. Let there be no misunderstanding about that. Now more than ever, in fact, there is a real need and urgency for companies to invest in data governance, both from a security and a compliance perspective. Let me quickly explain why.

New cyber threats

Taking a look at the security perspective first, there is simply no getting around the fact that in recent years a number of new threats have emerged. Most recently, of course, we have seen the devastating effects of Russia’s ongoing war with Ukraine, which is impacting Europe as a whole, if not the entire globe.

From the outset, cyberattacks have been an integral part of that war. Approximately one hour before Russia launched its invasion on 24 February, a cyberattack on communications company Viasat in Ukraine began. And although the Ukrainian military is believed to have been the primary target of that attack, other customers were also affected by it, including personal and commercial internet users. What’s more, the attack had a wider impact across the continent, disrupting wind farms and internet users in central Europe as well. Unfortunately, this is just one out of many attacks that have been carried out so far during this conflict and in the years leading up to it.

Primary target: data

These new cyber threats come on top of the already high and rising level of cybercrime, all around the world but notably here in Belgium, Today, when it comes to cybercrime density, Belgium ranks fourth globally, according to a report from cybersecurity company Surfshark. More importantly, with two in three attacks aiming to gather information rather than money, data remains a primary target for cybercriminals.

This conclusion is further substantiated by government research in Flanders, where one in eight companies – more than 10%! - fell victim to cyberattacks in the past year. As a result of those attacks, one in five affected companies lost their business data and more than one in ten small SMEs had to deal with data theft.

Needless to say, such attacks are not limited to the private sector alone. The public sector gets targeted just as well, if not more so. A striking example is the major ransomware attack suffered earlier this year by Vivalia, an inter-municipal healthcare institution in the Belgian province of Luxembourg. The cybercriminal group behind that attack claims to have stolen no less than 400 GB of the patient and hospital data, proving once again that the consequences of cybercrime can be truly devastating. Admittedly, the inevitable reputational damage can be hard to measure or quantify sometimes. But on top of that, Vivalia also had to face some very real and urgent operational problems. Electronic patient records were no longer available, for example, so patient data had to be recorded manually again.

Hybrid work: new data challenges

When considering new security threats, we also have to take into account the major impact the COVID health crisis has had on our way of working. Much has been written already about the worldwide massive shift to teleworking that occurred as the pandemic hit hard in early 2020. And the same goes for the subsequent introduction of a hybrid work model, which is the New Way of Working (NWoW) that many, if not most, of us are now familiar with or accustomed to.

This important workplace shift, in turn, has had a major impact on the volume of data to be managed and, more especially, governed (data governance being a key component of data management). The fact is that, at the outset of the pandemic, companies largely relied on their IT department to widely distribute the remote access to business applications that teleworkers required. I’m thinking in particular now of videoconferencing tools such as Microsoft Teams.

Unfortunately, companies didn’t really give out recommendations to all their employees working at home on how to use those applications. As a result, we have witnessed chaotic inflation of data that is not being managed nor governed. At Sopra Steria, we have calculated, for instance, that a document sent to 10 people gets to be shared and saved, identically, around 22 times. The risks and costs for the company are therefore not under control and can be all the greater if personal data are involved, which leaves me to conclude that the lack of data governance when moving to the hybrid workplace has created new security threats and challenges that companies now also need to address.

In my next post, I will first look into today’s growing need for data governance from a compliance perspective. I will also share some ideas about the value-creating potential of data governance. Meanwhile, if you have questions on data governance that you would like to put to us, don’t hesitate to get in touch with me or my colleagues at Sopra Steria Benelux.