It’s no secret that cyber attacks are becoming more frequent and more sophisticated, leaving many businesses wondering when, not if, they will be the victim of an attack. Unfortunately, the latest government figures back this up. According to the 2018 Cyber SecurityBreaches Survey 2018, 40% of UK businesses have experienced a cyber security breach in the last 12 months, rising to 72% among large businesses consisting of 250 employees or more. The average cost of a breach for a large business where data or assets were compromised was £22,300, as a result of lost productivity, additional staff hours and new security measures to prevent future attacks. Of course, that’s before reputational damage or regulatory fines are factored in as well.
Despite this growing threat, many CEOs and CIOs are still doggedly focusing their security efforts on perimeter defence techniques, investing huge sums of money in a vain attempt to keep attackers out of their networks, servers and applications. In reality, emphasis should be placed on securing the data contained within, rather than the increasingly vulnerable walls surrounding it because ultimately, this is what attackers are after.
The good news is there’s a growing acknowledgement that things have to change. More and more companies are starting to move beyond their laser focus on traditional firewalls and anti-virus software and are instead shifting towards the need for better identification, control and security of their sensitive data assets.
Strong security starts with knowing what needs protecting
For any organisation looking to take a more data-centric approach to its cyber security, the best place to start is with a comprehensive data taxonomy. After all, it’s impossible to put effective security measures in place if you don’t know what you’re trying to protect. Taking the time to classify and structure data not only helps a business understand the full scope of its security needs, it makes it signficiantly easier to extract meaningful value from it too. As such, it is almost always time well spent.
Understand where the most sensitive data resides
Once a data taxonomy has been completed, data needs to be tiered based on its sensitivity and location. This can be done however the organisation wishes, but the most common tiering categories are generally some iteration of Public, Private, Restricted and Confidential.
How much data resides in each tier tends to be heavily influenced by the sector in which the business operates. For example, financial institutions and government organisations tend to hold more confidential information than many other sectors. Additionally, merchants that accept credit card payments also oversee a wealth of confidential customer information that requires stringent protection. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS), as well as the recently imposed General Data Protection Regulation (GDPR) can impose hefty fines on such organisation found to be in breach, making data security more important than ever.
Tiering data in this manner helps organisations identify where the security focus should lie and decide what kind of safeguards will need to be put in place for each tier.
Control who has access to it
Once data has been appropriately classified and tiered, the next step is to restrict access to those who actually need it. At this stage it’s important to remember that not all data breaches are malicious. Many are the result of unintentional carelessness from employees such as lost memory sticks or laptops. Adopting access control for sensitive or confidential data not only makes it significantly harder for malicious insider and outsider threats, it is also one of the fastest ways to eliminate unintentional breaches. After all, employees can’t lose what they don’t have in the first place..
This approach also ensures data remains secure regardless of whether it’s at rest, in transit or in use. When combined with security best practices like data awareness training, it can be far more beneficial than relying on firewalls and anti-virus software.
Use data-centric technologies to further strengthen security
For any organisation looking to take its data protection one step further, there are also numerous data-centric security technologies designed to do just that. Data loss prevention (DLP), cloud access controls, encryption and data visibility strategies can all supplement/complement a successful program, providing even more robust protection against today’s challenging online environment.
Despite the alarming rise in cyber-attacks over recent years, it’s important to remember that a data breach doesn’t automatically result in data loss. Adopting a data-centric approach instead of focussing solely on perimeter defence can make all the difference in the event of such a breach. Basic data-centric protection doesn’t have to be complicated either. Simply taking the time to identify what sensitive data there is, where it resides and who should have access to it, can significantly strengthen any organisations defences. For those that wish to take it further, there’s a host of data-centric solutions now available can be combined to create a fully comprehensive security solution for only modest investments.