Data is the new natural resource of our age. The companies and businesses that control the data have a distinct market advantage over their rivals and competitors. Considering data’s importance in the new marketplace, its security must be a top priority for everyone in the organization from the Boardroom to the mail room.
According to a 2016 Ponemon study, 62% of companies worry about their inability to determine the location of their organization’s sensitive or confidential data. But knowing where sensitive and confidential data is stored is just the beginning. Once we know where the data is, the next step is to determine how to protect it from theft or damage in an ever-evolving and challenging threatscape. With this in mind, it can be difficult to determine where to focus your efforts and resources in protecting your organization’s assets. There needs to be a focused approach in remediating the most likely attacks with proven strategies that address current and future attacks, starting with one of the simplest and most effective ways to lessen the impact of cyber threats: data encryption.
Fighting the Tide
Cyber professionals spend a great deal of time thinking like attackers, and from that perspective, we know that cybercriminals are always attacking and attempting to steal data that lead to either financial gain or to push their agenda. According to a report last year from Cybersecurity Ventures, cybercrime will cost the world $6 trillion annually by 2021. For context, this staggering number represents the greatest transfer of economic wealth in history. Add to this the fact that breaches are happening with increasing frequency and more than 13 billion records have been stolen since 2013, and it becomes plain to see that the current approach to cybersecurity does not appear to be effective in terms of stemming the tide and slowing a cybercriminal’s ability to access and steal sensitive data.
Where’s the Data?
In short, the answer is everywhere! In the last two years alone, 90% of all of the data in the world was generated. We create roughly 2.5 quintillion bytes of data every day. With this immense amount of data creation, we can’t realistically afford to protect all of the data at the same level and still run a profitable business. So how do we determine what to defend, and at what level?
Aligning the Defense
In my spare time, I coach youth football and it truly is a game of blocking and tackling. If the other team’s offense can’t score against our defense we have a greater chance of winning the game. In Cybersecurity it can feel like a single misstep means that we have lost the entire game. But in reality, that doesn’t have to be the case.
In addition to setting up tough defenses at the perimeter to prevent a breach, organizations can set up strong internal controls that will assist in continued efforts to defend sensitive data (even in the event of a breach) through a three step process:
- Step 1: Identify and classify data, identifying which is sensitive and important, and requires protection.
- Step 2: Encrypt ALL sensitive data in motion and at rest, using strong cryptographic algorithms for structured and unstructured data.
- Step 3: Track and monitor who has access to this sensitive data and audit what they are doing with it, evolving processes as needed to ensure this data is kept secure and protected on an ongoing basis.
Whose Job is it Anyway?
When we address classifying data in an organization, the first question I ask is, “Who owns this data?” If the answer is a blank stare or shrugged shoulders, that is a red flag that potentially sensitive data is at risk. Ownership, training and accountability are the keys to correctly and accurately identifying data sensitivity. Considering the volume of data that most companies work with, it is essential to not only having a one-time assessment of where sensitive data is held, but establishing a process for continually identifying sensitive data and treating it as such. This process must account for standing up new systems that may contain sensitive data from the design to implementation phases.
What Happens Encrypted Should Stay Encrypted
According to a study by Gemalto, in the first half of 2018 there were 4.5 Billion records stolen, and shockingly, less than 3% of these records were encrypted and thus rendered useless to criminals.
Although there is no such thing as perfect defense, by encrypting sensitive data we can ensure with a high level of confidence that, in the event of a breach, the data will be useless to criminals thereby lessening the impact of the theft. Encryption alone is not enough to fully protect data, but it can act as a strong last line of defense. The staggeringly low number of stolen records that are not encrypted highlight this gaping hole in our defenses that can be closed with relatively inexpensive tools that offer a great deal of protection to both consumers, and to companies who hold their data.
Identifying Who Has Access to Sensitive Data Internally
I had an instructor once point to the difference between going into a Target and stealing a DVD versus downloading a Torrent of the same movie. The difference was accountability, even though both where a crime. All of us are aware of the cameras and security at Target and the actions in a Target can be easily tied to us. Online, people have a certain feeling of anonymity, especially if they are using technology to hide their identity. We need to be able to track who has access to sensitive data within organizations and track the actions taken with that data.
The ability to establish auditable and identifiable access to data helps us establish non-repudiation, and allows us to track legitimate and illegitimate access to our key data. It is essential that tracking and auditing of sensitive data be a key part of your data defensive strategy, keeping internal accountability high and identifying human errors that may lead to weakened defenses.
Aligning Security Expenditure with the Value of Data
This article in no way covers the many potential security controls that can be implemented to protect sensitive data. It can act as a high-level blueprint for an initial view into setting up a comprehensive security program that is data focused. Ultimately, your security expenditure should be aligned with the sensitivity and value of the data you are protecting. This process all starts with finding your sensitive data and ensuring it is encrypted in motion and at rest. Encryption as a control is relatively easy and often cheap considering the value of the data, or the cost of it being stolen.