Data Security Needs to be Revamped


Posted on by Robert Ackerman

On the weighty topic of data security in our ubiquitous digital world, let’s get right to the fundamental point: Data security in the enterprise – let alone everywhere else – simply isn’t good enough and must be enhanced.

If there is any doubt about this, consider, for instance, the annual data breach report published by the highly respected Identity Theft Resource Center (ITRC), which among other things tracks data breaches reported by public companies. The number of data compromises in 2023 soared by 78 percentage points compared to 2022 – 3,205 compared to 1,801 in 2022, a new record. By a huge margin, it also handily beat the previous all-time high of 1,860 in 2021.

Why such an increase? Among other things, companies struggle with fragmented security tools, limiting their overview of data security and compliance workflows. Cloud migration adds complexity. Traditional security platforms can be overwhelmed by data volume, often resulting in slow reporting.

Other swelling problems include increasingly complicated IT infrastructure, the impact of third-party attacks, and the sad truth that many employees ignore workplace cybersecurity rules, opening a path to a data breach that otherwise would not exist.

Convoluted infrastructure reflects the fact that there is a specific product for almost every use case. Some are used for fixed and mobile endpoints, some to provide access controls to apps, some to authenticate users, and some to protect internet access. As a result, according to a study by Lookout, a Silicon Valley-based data-centric data security company, large enterprises on average have 76 security products employed, each purchased individually to solve a single problem. This creates silos that force IT and security teams to split up to manage different security interfaces, undermining a holistic picture of how their sensitive data is handled.  

Meanwhile, the number of third-party vendor attacks, also known as supply chain attacks, has exploded. A single attack can and has directly or indirectly impacted thousands of businesses that rely on the same vendor.

Then there are the troublesome actions of far too many employees who, surprisingly, ignore workplace cybersecurity rules. A recent study by Gartner found that 69% of employees had bypassed their organization’s security policies over the past year, and 74 % said they would be willing to do so if it helped them accomplish a business objective.

Many employees are willing to ignore security guidelines apparently because they embrace so-called neutralization techniques  -- i.e., rationalization that people instinctively use to “neutralize” an unethical action, according to cybersecurity researchers. Security teams need to at least sharply condemn such practices in messages to employees.  

Unaddressed amid all this hoopla is the unappreciated reality that data is the lifeblood of every organization. It informs decision-making, improves operational efficiency, boosts customer service, enhances collaboration, informs marketing efforts, and in the end, increases revenue and profit. It must be taken seriously.

Data is often referred to as a company’s crown jewels. It’s the practice of protecting information from unauthorized success, corruption, or theft throughout its entire lifecycle. It encompasses every aspect of information security, ranging from the physical security of hardware and storage devices to administrative and access controls, as well as the logical security of software applications.

When properly implemented, robust data security strategies not only protect an organization’s information assets against criminal activities but also guard against insider threats and human error. In a simplistic sense, data security is not unlike Coca-Cola's secret recipe, which is locked in a vault, or The Hershey Company’s secret laboratory, which concocts Hershey Kisses.

The key to applying an effective data security strategy is adopting a risk-based approach to protecting data across the entire enterprise. Early in the strategy development process, corporate stakeholders should identify one or two data sources containing the most sensitive information and strengthen their security. Thereafter, they need to then extend these best practices across the rest of the enterprise’s digital assets. 

Here, briefly, are some important best practices.

+ Prioritize access control. This data security process enables organizations to manage who is authorized to access corporate data and resources. Access controls verify users are who they claim to be and ensure that various access levels are granted – or not granted -- to various employees.

+ Secure all endpoints that contain or may contain corporate data. In the past, securing traditional, corporate-owned endpoints such as laptops and desktops was enough. Not anymore. Personal and unmanaged devices such as smartphones and tablets have just as much access to sensitive data as other endpoints. And there are many mobile apps with messaging functions privy to phishing attacks.

+ Take security monitoring seriously. Some organizations were unaware they were attacked until it was too late. So, ensuring that appropriate tools are in place to quickly gain insight into a cybersecurity event. In-depth monitoring and next-generation early warning tools are particularly valuable.

+ Encrypt data. If access control is the bedrock of a data security policy, then encryption is the cornerstone. It’s non-negotiable for sensitive data, whether at rest, in use, or in transit. If access control fails, encryption makes its contents illegible.

Especially for smaller companies, it’s sometimes tempting to embrace some, but not all of the aforementioned security steps and others. It may seem like overkill but isn’t. Hackers are ubiquitous and have ready access to loads of attack tools on the dark web. Meaningful protection requires constant security review.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Protecting Data & the Supply Chain Ecosystem

security awareness database security security education security services hackers & threats privacy data security technology sovereignty

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs