With the advent of cloud computing, social media and mobility, data is moving and proliferating at pace across borders, platforms and applications, very rarely staying within the secure parameters of the enterprise.
In addition to this, an increasing number of organisations are placing greater emphasis on their core business competencies and handing over their peripheral concerns – such as supply chain management, human resources, payroll and so on – to dedicated external firms. These firms must all receive access to business critical data in some measure, increasing the potential number of weak spots in data security. In many cases this practice may result in duplicates of a single company’s data being stored in multiple borderless systems.
In a world without borders, the task of locating, securing and controlling that data is particularly challenging. Especially at a time when the shift towards cloud is only accelerating. In fact, with most critical data now residing outside of the corporate perimeter, the traditional fortress building strategies businesses have used to de-risk company data are no longer a viable option.
Determining data identity
Recent Ponemon research into how UK organisations are approaching data security reflects the challenge, revealing that businesses are struggling with enforcing procedures fit for the digital era.
Within the study, 55 per cent of IT and IT security professionals professed that not knowing where sensitive or confidential data resides is one of their biggest concerns, with many failing to identify that data at all.
What’s more, despite the trend towards the cloud enveloping the enterprise, UK businesses have no idea what risks over half of their cloud data (58%) is exposed to and nearly a third (28%) of their on premise data. In fact, 32 per cent of respondents admitted they are not confident in their ability to proactively respond to a new cloud threat.
This ignorance can only contribute to the preconception that the cloud is inherently riskier than on-site data storage, and ignores the main fact that a shift in security posture is essential to future data strategy.
A data centric approach
One of the most significant of all findings within Ponemon’s research indicated that only a quarter of UK businesses have a process for discovering and classifying the sensitive or confidential data in the cloud and less than 45 per cent for data on premise.
This stark reality is particularly concerning considering the pressures of an advanced threat landscape that is rife with skilled and vigilant cybercriminals. The knowledge and resources which drive the cyber threats facing the modern enterprise were once the preserve of nation states. Advanced hacking tools and intel are readily available online and develop just as rapidly as the security protocols designed to resist them. In short, data security is no longer a case of hoping for the best and then paying off whatever ransom is demanded by the intruder, or fines for breaching EU data regulations.
The only way to protect what is most precious—the data—is to fundamentally re-architect security approaches to be data-centric. Security has to travel with the data, no matter where it goes. For security professionals this means adopting an approach that focuses on managing and securing all end users and tying them to the data they create. By identifying and analysing sensitive data, such an approach can then be applied to help thwart data theft, whether it’s from internal or external sources.
The key to making this happen is helping business users easily integrate, consume and analyse all types of data. From there, the organisation can understand where applications create sensitive information in databases and how the information is proliferated to other data stores for use by line-of-business applications, cloud services and mobile applications.
To comply, or not to comply?
Once upon a time, organisations would have resisted these necessary changes to security and suffered the fine; but financial costs are no longer the only burden of non-compliance. The real incentive for businesses to secure systems should be the risk that a data breach poses to customers and corporate reputation.
No company wants to be known for their failure to protect confidential information. The likes of Target and eBay are testament to the impact that a breach can have on brand equity and highlights that consumers’ loss of confidence in business services can take a long time to repair.
In addition, growing consumer demand for strengthened data privacy, combined with the introduction of EU data protection regulations, serve as a reminder that organisations need to be able to convince the regulator that there are clear processes in place to manage and protect sensitive information, no matter how flexible their network and use processes.
This is especially the case now that regulations mandate the notification of a breach within 24 hours, and the ability to permanently delete data under the ‘right to be forgotten’. And that’s without mentioning other obligations to customers, employees and partners that add to this pressure.
Data security comes at a cost, but by implementing the correct tools and adapting data postures, data security in the age of mobility needn’t be the burden that companies seem to fear. When implemented effectively, a solid data strategy can act as the protective bubble that all corporate assets require.