Most organizations have a view of data security that’s not only outdated — it’s practically medieval.
Granted, data breaches — at least, as we know the term — didn’t occur back in the Middle Ages. However, the approach that many of today’s organizations take in protecting against data breaches is quite similar to the strategy that kingdoms of old once employed to protect their people and their riches.
Lessons from history
In the old days, castles were protected by a series of defenses — beginning with the castle walls, which had to be tall, thick and strong enough to prevent armies from scaling over them. For added protection, a castle might have earthworks and moats outside its walls that would slow down attackers sufficiently so that defenders on the castle walls had time to repel the attackers.
Such defenses were once state-of-the-art. But eventually, catapults, attack ladders — and later, artillery — made even the most formidable castle walls basically irrelevant. In fact, history teaches us that whenever one group tries to protect their valuable possessions, just as surely, an enemy will develop ways to get over, under, around or through their defenses.
Now picture your organization and its assets as a castle, with state-of-the-art defenses. The lesson of history — and for that matter, of countless recent headlines — is that no matter how robust your lines of defense, the people who want to get their hands on your data will find ways to get past your defenses.
Know your blind spots
Many organizations have two fundamental blind spots when it to comes to data security.
The first is to assume that their firewall will somehow keep out all intruders, forever. In fact, we’re seeing that cyber attacks are increasing, not only in number but also in their levels of sophistication, adaptability and scope. According to a recent CNBC article, it’s already looking like 2016 will feature more cyber attacks than we’ve ever seen before. Given this, I recommend that organizations start with the assumption that attackers will get past their firewalls and exterior defenses. Then they should focus their planning on what’s inside the castle walls that may be vulnerable, and take all the steps necessary to protect it.
The second blind spot is to think that all your data must have the same level of protection. In fact, it’s likely that only certain elements of your data present potential danger to your organization if stolen and released. In most cases, the most potentially explosive data, by far, are the data elements that could enable hackers to expose, extort or leverage another individual.
Among the most common examples are data elements that comprise personally identifiable information (PII) — and fortunately, many organizations do try to protect these assets. However, the reality is that it’s often the combination of data elements that creates the most risk in breaches.
For example, if a series of your customers’ birthdates were exposed, not much would happen as a result. But if hackers also gained access to corresponding email addresses, and birthplaces, they would have a good starting point for hacking into their individual accounts (such as banks, credit cards and personal email). This is why it’s so important to recognize and manage the relationships of potentially risky data element combinations.
Another important point to remember is that your customers’ or clients’ PII elements are probably spread through your information systems. If you wait until you’ve been hacked, it won’t be easy to find and lock down every instance in time. For example, it’s easy to locate and monitor the field in your customer database labeled “Social Security Number” … but unless you take the time to conduct a data inventory and properly manage your metadata, a rushed search might miss other instances — such as a column in a spreadsheet labeled “Cust. SS#.”
The big takeaways
For all the reasons stated above, it’s important now, before you’re hacked (or before you’ve been hacked again), to take the steps needed to determine the exact locations of your most sensitive data, as well as who accesses it and how they use it. Doing so will allow you to more strategically focus your encryption, masking, obfuscation and other data security efforts.
What’s more, you’ll know exactly which databases and systems must be locked down immediately in the event of a data breach. For the best results, you need to exercise robust metadata management and identify any risky data element combinations. This will help you fill in an additional gap — by allowing you to establish rules and systems to monitor for suspicious data utilization patterns even before you realize a hacker has gotten inside your castle.