You cannot secure information that you do not know you have

← more insights
Screen with folder structure

I wanted to talk about this because it is incredibly common. In practice, good information security often starts with something much simpler than firewalls or cyber tools: knowing what information you actually have, where it lives and who can access it.

We recently completed a security assessment for a small law firm with a couple of offices. The interesting part was not discovering some catastrophic security failure. The interesting part was how normal everything looked.

Like many firms, staff had gradually built practical ways to get work done quickly. Documents moved through SharePoint, Dropbox and email depending on who needed them fastest. Teams created “temporary” folders that quietly became permanent. People kept personal copies of important documents because they did not completely trust the shared structure anymore.

At one point we found a folder path that went something like:

“Shared Matters → Current → Active → New → Use This One → Final → Final 2 → Final Real”

We have all seen that right? Most offices have seen some variation of this.

We also found several shared SharePoint areas where nobody felt entirely certain who still had access. Not because anybody ignored security, but because access changes usually happen gradually. Somebody helps on a matter for two weeks, changes teams six months later and quietly keeps access forever because removing permissions never feels urgent.

Organisations tend to lose visibility over information long before they lose control of security. Staff enter and leave using swipe cards and they log in to the network using proper authentication. But inside that they no longer know where the authoritative version of anything lives. Important documents sit inside forgotten folders. Teams become uncertain whether information still exists, whether it was deleted, or whether somebody copied it somewhere else years ago.

So the big problems rarely start with hackers. They start with ordinary people making sensible shortcuts to get the job done.

The bigger challenge is not securing the information, if all that means is throwing a cordon around all of it. The bigger challenge is simply knowing what information they actually have, where it lives and who can access it.