Today’s enterprise organizations encounter challenges when it comes to processing and storing data. The repercussions of suffering a cyberattack or data breach can often be much higher in the aftermath than the initial regulatory fine. Trevor J. Morgan, product marketing and product management, comforte AG, discusses why it is essential to find a balance between using data and the risks associated with collecting and processing it, or more crucially, losing sensitive data while doing so.
Through digital transformation, organizations are rapidly adopting more technology to improve operational efficiencies, which, in turn, increases their overall data consumption. The opportunity to monetize data cannot and should not be missed, especially when it is estimated that over 2.5 quintillion bytes of data are being generatedOpens a new window every day.Â
Yet, with security incidents seemingly occurring on a regular basis, enterprises need to find the balance between using such data (whether it is sensitive or otherwise) and the risks associated with collecting and processing data, or more crucially, losing it while doing so.Â
Knowing that the number of data breaches in 2020 is reportedly down by 52% compared to year-on-year comparisons would seem positive news for most, but from a security perspective, seeing 2,037 publicly reported breaches is no doubt a major concern. It indicates that cybersecurity as an industry still has a lot of work to do.Â
Modern enterprises experience ongoing challenges when it comes to processing and storing data. The first challenge is the ever-growing number of data privacy regulations by which most organizations are legally required to abide. For several years, businesses have been collecting and using data freely. Yet, only recently have governments noticed the lack of data privacy and security precautions in place to secure valuable and highly sensitive consumer information.Â
The first regulation to really shake things up in terms of how data privacy and security were viewed was the European General Data Protection Regulation (GDPR), which came into effect in 2018. Its creation took away the power from the big corporations and gave it back to European citizens who could ultimately decide how their data was to be used, if at all (certain limitations notwithstanding). It also set out strict rules for companies on how this data was to be used and secured. If enterprises showed any signs of non-compliance, then serious financial penalties would be applied. And they have been!
Learn More: Remote Learning Picks Up, So Do Ransomware Attacks: 6 Steps to Manage Risk
The depths to which GDPR went to help and benefit the everyday consumer set a precedent as to what was expected by businesses, and, as a result, many countries have since followed suit. In the United States, the California Consumer Privacy Act (CCPA) mirrors GDPR in many ways in that it has laid the ground rules on consumer data rights and how personal information is to be used. With the USA’s most densely populated state being one of the first to implement such a law, other countries around the U.S. are trying to follow suit.Â
Furthermore, if you look further afieldOpens a new window , you will find that Singapore, South Korea, Japan, Australia, New Zealand, and Brazil are among those within the international community which have formed their own data-protection laws stemming from GDPR’s creation. This puts new pressure on businesses when managing the privacy and security lifecycle of data both at a local level and internationally.Â
In addition to this, given the current pandemic, organizations are making more aggressive moves to adopt new cloud technologies as they seek agile and resilient architectures during this unstable period. The next challenge is one that every organization in the world is facing – managing the risk of data compromise. With the number of cyberattacks on the rise and organizations adopting more technological solutions, the overall attack surface is widening. In recent months, we’ve seen how even the most established companies have suffered highly publicized data breaches at the hands of cybercriminals.
This is undeniably a perilous time for organizations. The last thing anybody wants is to suffer a breach that will be detrimental to the business financially and result in reputational damage. This can actually have a more negative impact on the bottom line in the long run. As a result, many organizations are having to reevaluate their data architectures and data strategies. Fear is often a powerful motivating factor!
So, where are enterprises on their data security journey today? As it stands, a mixture of organizations exist at various ends of the data security maturity scale. Those that have taken a mature and holistic approach to data security are in a stronger position to tackle risk and threat mitigation concerns while also having the greater utility of sharing information. However, given the recent waves of data breaches, it’s evident that this approach is not being leveraged comprehensively throughout the enterprise world. If you observe some of the major breaches that have happened, a mixed approach is becoming quite pervasive. Organizations are likely being driven by regulatory risks as opposed to data risks, which are two very different peas from the same security pod.Â
Consider the Capital One breachOpens a new window , for example. Due to the breach, 160 million customers had their sensitive information exposed. However, it is interesting to learn that a limited amount of data was actually protected by tokenization, a data-centric solution. Unfortunately, Capital One did not use this security method across the vast amount of personal data that found its way into the public domain.Â
Learn More: Everything You Need to Know About Advanced Persistent Threats (APTs)
With there being so much scrutiny on security and how today’s enterprises are protecting personal data, it is now their responsibility to obtain the necessary visibility into the asset base to find out what data they have stored and if they are compliant with the many regulations that are in play. This is where data discovery is valuable as it provides the necessary context to what data is in the systems, what applications are using what data, as well as helping to effectively classify the data, which can paint a holistic picture of the potential risks.Â
To obtain the right balance between visibility, security, and data utility, enterprises should adopt a data-centric security strategy. The prime objective of this approach is to protect the actual data (rather than the environment around it) so that the key individual elements of the information stay secure (through obfuscation) as they move through different systems and business processes, whether that be analytics, into AI workloads, or machine learning pipelines.Â
Individuals can still extract meaning from the data in its protected form without exposing the actual regulated and sensitive content to any risks. Isolating data is not a new approach, as segmentation approaches have long been used as a validated security model, but they become difficult to manage, especially if the organization has multiple cloud architectures and environments. Companies are, therefore, at the mercy of the underlying infrastructure security. Unfortunately, these generally prove to have vulnerabilities.Â
The repercussions of suffering a cyberattack or data breach can often be much higher in the aftermath than the initial regulatory fine. Then, when you take into account reputational damage, which can linger even after the dust settles, it can be a long road for any organization to regain the trust of consumers and sometimes an unsuccessful one. Therefore, it is imperative to adopt a security solution that is sustainable, holistic, offers regulatory compliance, but most importantly, secures the sensitive data throughout its entire lifecycle.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!