Data Security, challenges, and the light in the dark tunnel

By: Mo.Reda, Cybersecurity Expert and President of Allied International

The Environment

For as ubiquitous as the term “data security” has become, the definition only resides at the conceptual level. At a more granular level, it is unique to every organization. For larger organizations, it is layer after layer of specialized products. For smaller firms with significantly fewer resources, it may be reliance on native security solutions. Every firm’s data may be valuable for different reasons, but it is valuable, and that is what makes you a target. Differences aside, the common thread for organizations across the spectrums – small to large, industry to industry – is the need to protect the data.

As the world progresses further into this digital age, the infrastructure required to support the current paradigm is growing exponentially more complex and expansive. At best, the perimeter is blurring, likely, it is dissolving. This is even before the world was impacted by COVID-19. Never before has the enterprise network been as extended as it is now, and by all discernable indications it is never going back. The world is becoming more virtual, less tangible. Organizations need to adapt to these changes and do so by deploying solutions that are flexible enough to adapt to the next change automatically or easily. If we have learned anything in recent months, it is that change doesn’t always come slowly.

These complex infrastructure architectures are often more patchwork than a framework – a fragmented network of disparate productivity, compliance, and security solutions cobbled together across on-premise and cloud environments – leaving significant gaps in function and security. Even the newest modernized solutions have significant gaps. Cloud infrastructures are under attack like never before, and errors and misconfigurations are leaving organizations vulnerable. Perhaps the largest such remaining gap is at the data itself. The term “data security” is almost always a misnomer or at least more of a targeted derivative of a focus on something else entirely. In reality, current data security is more network security – end-point monitoring, anomaly detection, malware prevention – than it is data security – creating a false sense of security. Data breaches are more frequent, more expensive, and last longer than in previous years. (1)

Additionally, if the threat of data breaches is not enough to keep you up at night, an increasingly complex web of compliance regulations is being implemented. These regulations are often burdensome draconian measures that cost businesses significant amounts of money to implement and maintain. Compliance with existing standards, as well as the adaptability, to quickly meet new regulations requires a significant level of control over your data. This is important because compliance needs to be woven into the fabric of your data security solution from the beginning, allowing you proper insight and control into your data to meet ongoing and changing compliance requirements with minimal burden.

Gaps created by the siloed approach to data security

The current approach to data security is to layer disparate, specialized solutions on top of native security to monitor, and hopefully, close gaps created by today’s complex systems architecture. The problem is that organizations can only go so far before destroying productivity, rendering the solution counterproductive. As gaps remain, bad actors will always find ways to exploit them.

Network Security: Necessary, but insufficient

End-point monitoring, threat and anomaly detection, anti-malware – all necessary components of a modern systems architecture. However, even when combined, these solutions fail to see the full threat environment, and therefore should not be relied upon to provide adequate protection. End-point monitoring, for example, fails to determine and stop threats from internal or trusted sources, leaving you exposed to significant vulnerability.

Current Data-Centric Solutions: Incomplete

The idea of protecting the data itself is nothing new, and there is no shortage of solutions available in the market. From encryption to audit trails to identity and access control – organizations need to weave together many individual solutions to provide the required insight and control at the data level. And even then, simply based on the current designs of available products, significant gaps continue to be present. Encryption, as a common example, may protect the data in some ways but fails to provide immutable insight into who has accessed the data, what trusted sources are bad actors, how many copies of that data are living, and renders the data less valuable because it cannot be easily searched or mined. Many of these solutions also weigh-down system infrastructure.

Understanding the Threat…

To adequately defend against data breaches, one must fully understand the scope of the threat. When most people hear the term “hacker,” their mind immediately goes to the Hollywood version of a foreign-looking individual working under the glow of computer monitors. In reality, the threat is much broader than that and much closer. Eighty-five percent of victims and subjects reside in the same country.2 It is the call-center representative making money on the side selling the personal information of your customers. It is the engineer you have dutifully employed on your most important project taking your intellectual property to your competitor and leveraging it for a job offer. It is your overworked network administrator making a simple configuration mistake. And yes, it is the hacker in some not-so-far-away land breaking into your network, sometimes with unwitting accomplices in the form of careless employees giving away their credentials. While fewer than one-in-twenty breaches exploit

…and the solution

When the threat comes from both the inside and outside, through the front door, as well as the back, you need a complete solution that gives you security and transparency at each of those levels. You also have to understand that, in reality, true zero trust - a common buzz-phrase touted by many security platforms - is impossible to implement. This means you need both defensive and offensive weapons in your arsenal. Data remains accessible in the capacity required for your organization to function, but if removed from your ecosystem, by anyone, it is rendered inaccessible and destructible.  

The Cost of Being Unprepared (3)

There are nice-to-haves and there are need-to-haves, and data security certainly falls in the need-to-have category. But do you need another layer? Decisions around systems architecture and product deployment are like any other business decision, a cost-benefit analysis within the context of which of those two criteria it falls under. Consider this, despite the current model, data breaches are becoming more frequent, more expensive, and taking longer to contain, providing clear evidence the current model is not sufficient. Also, ask yourself, how are governments going to look to replace some of the tax revenue lost due to the COVID-19 pandemic? Regulatory enforcement. 

If you are an enterprise-level organization, the answer is obvious. Seventy-two percent of breaches involved large business victims. (4) However, small-to-medium size businesses were not immune, and for them, the costs were significantly higher. While large organizations faced a total cost of $204 per employee, for small businesses the cost was $3,533 per employee, showing a disproportionate burden on smaller organizations. For many of them, data security is a matter of survival. 

Table 1. Consolidated Data from IBM Security 2019 Report