Cyber security: three reasons why you may be protecting the wrong thing
- Published: Tuesday, 09 March 2021 09:10
For too long now, organizations have been focusing on protecting their network, when in fact they should have been protecting their data. Paul German outlines three reasons why this has been the case and why it matters.
Reason one: they’re called data breaches, not network breaches, for a reason
Looking back on some of the biggest data breaches the world has ever seen, it’s clear that cyber hackers always seem to be one step ahead of organizations that seemingly have sufficient protection and technology in place. From the Adobe data breach way back in 2013 that resulted in 153 million user records stolen, to the Equifax data breach in 2017 that exposed the data of 147.9 million consumers, the lengthy Marriott International data breach that compromised the data from 500 million customers over four years, to the recent data breaches due to exploits of the SolarWinds hack at the end of 2020, over time it’s looked like no organization is exempt.
When these breaches hit the media headlines, they’re called ‘data breaches’, yet the default approach to data security focuses on protecting the network - often to little effect. In many cases, data breaches see malicious actors infiltrate the organization’s network, sometimes for long periods of time, where they have their pick of the data that’s left unprotected right in front of them.
So, what’s the rationale behind maintaining this flawed approach to data protection? The fact is that current approaches mean it is simply not possible to implement the level of security that sensitive data demands without compromising network performance. Facing an either/or decision, companies have blindly followed the same old path of attempting to secure the network perimeter, and hoping that they won’t suffer the same fate as so many before them.
However, consider separating data security from the network through an encryption-based information assurance overlay. Meaning that organizations can seamlessly ensure that even when malicious actors enter the network, the data will still be unattainable and unreadable, keeping the integrity, authentication, and confidentiality of the data intact without impacting overall performance of the underlying infrastructure.
Reason two: regulations and compliance revolve around data
Back in 2018, GDPR caused many headaches for businesses across the world when it came into force. There are numerous data regulations businesses must adhere to, but GDPR in particular highlighted how important it is for organizations to protect their sensitive data. In the case of GDPR, organizations are not fined based on a network breach; in fact, if a cyber hacker were to enter an organization’s network but not compromise any data, the organization wouldn’t actually be in breach of the regulation at all.
GDPR, alongside many other regulations such as HIPAA, CCPA, CJIS or PCI-DSS, is concerned with protecting data, whether it’s financial data, healthcare data, or law enforcement data. The point is: it all revolves around data, but the way in which data needs to be protected will depend on business intent. With new regulations constantly coming into play and compliance another huge concern for organizations as we continue through 2021, protecting data has never been more important, but by developing an intent-based policy, organizations can ensure their data is being treated and secured in a way that will meet business goals and deliver provable and measurable outcomes, rather than with a one-size-fits-all approach.
Reason three: network breaches are inevitable, but data breaches are not
Data has become extremely valuable across all business sectors and the increase in digitization means that there is now more data available to waiting malicious actors.
From credit card information to highly sensitive data held about law enforcement cases and crime scenes, to data such as passport numbers and social ID numbers in the US, organizations are responsible for keeping this data safe for their customers, but many are falling short of this duty. With the high price tag that data now has, doing everything possible to keep data secure seems like an obvious task for every CISO and IT Manager to prioritize, yet the constant stream of data breaches shows this isn’t the case.
But what can organizations do to keep this data safe? To start with, a change in mindset is needed to truly put data at the forefront of all cyber security decisions and investments. Essential questions a CISO must ask include: will this solution protect my data as it travels throughout the network? Will this technology enable data to be kept safe, even if hackers are able to infiltrate the network? Will this strategy ensure the business is compliant with regulations regarding data security, and that if a network breach does occur, the business won’t risk facing any fines? The answer to these questions must be yes in order for any CISO to trust that their data is safe and that their IT security policy is effective.
Furthermore, with such a vast volume of data to protect, real-time monitoring of the organization’s information assurance posture is essential in order to react to an issue, and remediate it, at lightning speed. With real-time, contextual meta-data, any non-compliant traffic flows or policy changes can be quickly detected on a continuous basis to ensure the security posture is not affected, so that even if an inevitable network breach occurs, a data breach does not follow in its wake.
Trusting information assurance
An information assurance approach that removes the misdirected focus on protecting an organization’s network and instead looks at protecting data, is the only way that the security industry can move away from the damaging data breaches of the past. There really is no reason for these data breaches to continue hitting the media headlines; the technology needed to keep data secure is ready and waiting for the industry to take advantage of. The same way that no one would leave their finest jewellery on display in the kitchen window, or leave their passport out for all to see, organizations must safeguard their most valuable asset and protect themselves and their reputation from suffering the same fate as many other organizations that have focussed on protecting their network rather than their data.
Paul German is CEO, Certes Networks.