• Paul Peter Nicolai

Being Information Lean After COVID-19

Updated: Aug 13

Many things will never be the same after COVID-19. Employees will spend less time at an office. Employees working remotely will use more technologies to connect and collaborate. They will store more company information in the Cloud and on home devices with diverse setups and vulnerabilities. Bad actors, cyberthieves, and hackers will have greater luck exploiting chinks in information security armor.


Businesses need a plan to deal with these new realities and become information lean. The shift to a new environment is an opportunity to build better processes through technology. It allows reevaluation of what is done and why. It allows new processes and efficiencies to emerge and the ability to build compliance processes from the start, making them transparent and seamless. Addressing privacy and security in planning and design means it will not need to be retrofitted downstream, as has been too often the process.


Home Worker Reality


Employees prefer their own devices. Even if policy prohibits it, company information will find its way onto personal devices creating privacy and security issues. The security protections in a personal environment are usually less robust than in a corporate or cloud setting. While home workers may limit a company’s computer and office expense, they present different security challenges.


Information Reality


Information volumes have been growing for decades and will not stop growing unless we do something about it. Piles tend to be largely unmanaged, and mix important with unimportant information. This makes environments like shared drives a perfect hacker target because employees store all kinds of information there, including information that may have substantial value to the company. The more information and locations, the greater the privacy and security risk information piles create. Competing interests inside the company that want more information for longer periods of time must be addressed.


Security and Privacy Reality


Information security is now a core business activity that requires resources, expertise, and vigilance. No matter how much money and effort spent on securing information, hackers will be successful. Information security is really about minimizing the harm to the company.


What Needs To Happen


Most businesses keep too much information. Some keep everything. The law of diminishing returns applies to information, like most things. Lawyers have contributed to this reality. With the advent of electronic discovery, lawyers over-preserved because it was the conservative position and avoided liability for evidence destruction. Once information went on legal hold, it often stayed on legal hold. Unwinding this approach is challenging, especially if a company has lots of litigation. However, bad habits and over-retention must stop.


Privacy laws and regulations make clear that less is more when it comes to privacy. That means keeping as little as possible for as short as necessary. For GDPR (the EU privacy directive), information must be retained no longer than its original intended purpose, but as short as possible to run the business and comply with the law. In addition, there are important compliance and business drivers that say keep less. For the most part, information value drops quickly after it is created and used. Keeping everything forever is bad business. Basically, by the end of three years, much information has little continued usefulness. By the end of seven years, practically none of it has value.

As the piles grow, the challenge of protecting it also grows. Growth usually means more applications, more storage locations, and more ways for information to be exploited. The cost of storing more information goes up, even if unit storage costs go down over time.

Businesses should seek to be information lean by not keeping too much or too little. The Cloud helps and hinders this. On the one hand, the Cloud has infinite scalability, which lets companies keep just what they need and not overbuild underused infrastructure. On the other hand, the Cloud has infinite scalability, and human nature and business pressures promote information over-retention.