We live in a world shaped and driven by data. On a daily basis, our smartphones, laptops and other connected devices share data with organizations about our habits and behaviors. Asaf Kochan, co-founder and president at Sentra, unpacks why the private sector needs to upgrade to smarter strategies to protect sensitive data.
Enterprises and organizations collect and store valuable data about their customers and their own operations, using this data to inform changes in strategy. The sheer amount of data grows rapidly on a daily basis as information is copied, shared and sent between users and organizations.
For four years, I served in the Israel Defense Forces as a commander of Unit 8200, a well-known elite force in intelligence and cybersecurity. During my time in Unit 8200, I saw the consequences of a world in which data is spiraling out of control. Bad actors operated without any fear of being slowed down or caught in vast pools of unsecured, copied or forgotten data. These can be referred to as “thriving meadows” or “candy stores.”
When a bad actor manages to get into such an environment, it’s extremely easy for them to reach and extract valuable information. Imagine a young child being let loose in a candy store with no adult supervision and no lids or locks on any of the jars. You wouldn’t be surprised to find them grabbing everything they can reach.
Today’s enterprises recognize the need to protect their most valuable information, but they often don’t realize that they have created their own unlocked candy stores. Employees may be copying and sharing sensitive data to make their workflows easier, or valuable data sets may be shared with third-party service providers that don’t maintain adequate security protections. We’ve reached a point at which most organizations don’t know where all of their sensitive data is being stored.
To combat the problem of thriving meadows, we need a new cybersecurity approach that focuses on the data, ensuring that no candy stores exist to attract bad actors.
See More: Five Reasons Why Data Privacy Compliance Must Take Center Stage in 2023
The Opportunities and Challenges of Limitless Data
The exponential growth in data has led to tremendous opportunities for innovative businesses around the world. Data makes it possible for businesses to do a better job of giving their customers and clients the services and goods they’re looking for. Data and AI allow organizations across a variety of industries to make their work faster, more efficient and more sustainable. Data is here to stay, and we’re better off as a result.
However, our limitless data future presents key challenges from a security perspective. Data breaches caused by simple human error are at the root of most cybersecurity breaches.
The challenge of designing security solutions for this data-rich environment is that the vast majority of data isn’t sensitive or valuable — from the perspective of a business, it’s insignificant. Yet most organizations today seek to protect the entirety of their data without understanding exactly which assets need to be protected. This problem is made even worse by outdated technology. Organizations rely on security tools built prior to the cloud era, designed to protect architectures that look completely different from what we use today.
Organizations must focus on securing the data to eliminate candy stores and guard against modern security threats.
Protecting the Data that Matters
We need to be realistic about our current technology environment. It is not possible to prevent every breach. However, being realistic is not the same as being afraid. Organizations can take steps to ensure that even if they are breached, the bad actor will not be able to pivot and gain access to valuable information. They may get into the candy store, but the jars and boxes will be locked tightly.
An effective security regime will protect sensitive data assets from the most likely attack vectors. A three-step approach is critical:
- First, an organization must catalog and map all data assets. It’s impossible to fence in a thriving meadow if you don’t know where they’re located.
- Once the organization understands where the data resides, the next step is to separate data that has business value from data that is insignificant to the business itself. Protecting our exponentially-growing data sets would be an insurmountable task; protecting the data that holds actual value is an achievable goal. Data should then be classified according to its business risk, establishing the potential impact if data were to be lost or stolen.
- Finally, the organization must take steps to shrink its data attack surface. The more unprotected sensitive data you have, the more likely you’ll become the victim of a data breach. Businesses can shrink their data attack surface by reducing the number of users with access to sensitive information. They can also take steps to secure the data itself or delete it entirely. Whether the data is at rest or in transit, its security posture should always travel with it.
The challenge of protecting data at the enterprise level is hard and getting harder. Separating out the comparatively small amount of data that matters from the massive amounts of data that doesn’t matter makes it possible for organizations to wrap their arms around the problem and truly secure their business.
A World Without Thriving Meadows
Technology moves quickly. Big data often serves as the fuel for businesses chasing new innovations, and the resulting solutions make our lives easier, more efficient and more enjoyable. However, it is long past time for enterprises to recognize the danger posed by their growing data sets – those who chase speed at the expense of security could become the victims of costly attacks.
Data must become the focal point of today’s security postures. By discovering, classifying, assessing and, finally, protecting data with real business value, we can move towards a world where all the candy stores are identified, monitored, and secured.
How are you ensuring that your sensitive data is protected from evolving threats? Share with us on Facebook, Twitter, and LinkedIn.
MORE ON SENSITIVE DATA PROTECTION