Are you thinking about making changes to your organization’s information culture? Efforts to remove traditional department “silos” to encourage the free flow of information have very tangible benefits: team collaboration, efficiency and discovery of new business opportunities. When all resources are deposited and shared from one primary location, businesses protect themselves from information loss caused by employee turnover, and are able to cut back on search time by reducing the possible locations of document retention.
Removing department silos and actually getting staff on board to sharing their information and data however, can be a challenge, as is overturning very real ‘what if’ fears. If everyone can access the information, is it safe from deletion or misuse? Are there managerial-level documents that could damage credibly or cause issues if accessed by front-end staff? How do we open up information access without creating holes in information security and user privacy? Before you move your information resources to a more collaborative platform or start undertaking data sharing initiatives between departments, consider putting together a plan that addresses the following:
Know what you have
Before opening up your drives and databases to all departments, a full understanding of the data and document types your organization controls is a must-have. If you do not know what information you have, you cannot possibly know what information you are sharing, or what risks making the information available to all personnel could cause. Plan out your inventory: this can be as simple as mapping of all drives and storage locations with notes on the information contained within, to a full-out information audit that examines what information your organization has, where it is kept, who uses it, and how is it being used. In addition to identifying any information that may be more sensitive, an inventory prepares your organization for the shift: if you are moving all resources to a shared platform you can avoid leaving items behind, and identify resources that may be of particular interest to different departments.
Establish your classification scheme
If presented with three different documents or pieces of data, could staff identify, with ease, which is private information that may damage a client if exposed, which is confidential information that might damage your business exposed, and which information is safe even if it should be released outside your organization? Could your staff identify these factors without reading the information in question? If not, a security classification scheme would be wise to implement. Depending on the desired outcome, a classification scheme need not be complex: a simple rating of 'A', ‘B' or ‘C’ may do the job, as long as they provide users with the ability to understand, at a glance, the risk factors involved in sharing the information, and are linked to clear guidelines on its use and protection.
Layout access controls
Now that you know what levels of sensitivity the information your business has, determine who should have access to which type. Setting access controls provides an important safety net that reduce risk for both business and staff: private or sensitive information can only be accessed by individuals with the training, clearance and proper tools to use it. In addition, when looking to change the internal information sharing culture, of the more useful benefits of having an access control plan is that it need not be determined by department: information access can be discerned based on business role, attributes including geographical location, or even specified to individual access. Dependant on your software, access restrictions can also be customized to view and hide specific data of the same record: masking personally identifiable details for individuals but allowing access to purchase history. Information can be centrally located and ‘shared’ company wide, but private details remain accessible on a need-to-know basis. With an access control system, you protect customer trust by assuring them that private information only seen by those with the authority and know-how to use it properly.
Have proper IT procedures in place
How often is your information backed up? If a staff member accidentally deletes a critical document, even by accident, can it be retrieved? As many an information technology professional will tell you, if your business is not backing up it’s critical information yet, it certainly should be. Things happen even to the most up-to-date systems: power lines making the office dark, bugs get in via the wrong email attachment, an irregular change causes corruption, or a new user fumbles with a different interface and yesterday’s client proposal is history. Proper IT standards, such as having current anti-virus software, regular backups and encouraging “safe your work often” protect against the unexpected, and allow ease of mind. In addition, the tools you use may have their own safety features: consider Microsoft SharePoint, which can save different versions of the same document, OneNote or Evernote, that sync regularly to well backed up cloud servers, a database that automatically saves records upon update, or look into your own native application for how it handles “revision control”; odds are help is there when you need it.
Set clear understandings and expectations with customers, clients and stakeholders
If your information holding include data collected from others, such as client records or customer data tracking, communicate to the information owners who the information will be shared with, even internally. Be aware that sharing “internally” in an organization can have different meanings to different people. For some, ‘sharing internally’ may mean all internal departments of a single company, while for others ’sharing internally’ includes the disclosure of information across all branches, divisions and subsidiaries or a parent company, including those that do not operate under the same brand name. How are you intending to use this information in different areas? Can the customer or client opt-out or opt-in to information sharing between particular branches? Look at your business privacy policy: in encouraging more hands on of the same resources, are you still adhering to previous agreements of whom can view personal or business information, and what they are permitted to do with it? Communications and transparency of the information cultural shift are definitely in order, and in some cases revisions and agreements to the revisions of the organization privacy policy may be required.
Changing your organization’s information culture will not be a one-day task: along with any needed technology tools, it will require executive buy-in, formulated strategy and change management skills to get things off the ground. When successful however, efforts are well worth it, and a little pre-planning can go a long way.
