Let's discuss Data Security vs. Computer & Network Security
A few years back, during the opening Keynote of the RSA Conference, Art Coviello, the CEO of RSA, came onstage and made a presentation that left everyone with a strange feeling. For twenty minutes, he made the case of how the security industry was failing. He showed statistics about how data breaches were going up, how there were more vendors in the industry, and how more money was being spent on security without a valid return on investment. What was unsettling is that he did not present any solutions to the problem. He was basically presenting the problem to the audience, whom he considered the most important security experts in the industry.
I think if he did the presentation today, he would still be right. The cyber security market is estimated to grow to $170B by 2020 with a CAGR of 8.1%. According to Gartner, the average selling price for firewalls is going up 2-3% per year. Inspection and DLP are deployed more and more. On the other side, data breaches, and the amount of information breached is growing year over year. There are 3.9M records breached EVERY DAY. Sadly, we have not made huge progress as an industry.
Threats come from inside the walls too
One of the reasons for this is the perspective that we take on the problem. Over the last 20 years, people have been building walls. Security was all about building a fortress around your network. These walls were designed to protect the infrastructure from external attackers and prevent them from coming in and stealing data. But this approach did not cover major risk areas like insider threats. For example, employees looking for a second stream of revenue, to launch new careers, or simply to sabotage the organization. It also did not include the larger threat of willing employees that may misbehave by mistake. Employees getting phished for passwords can be the weakest link in your organization. Humans are fallible after all, and this is where attackers are increasingly focussing their efforts.
Lately, there has been a shift in perspective though. Organizations are starting to monitor and secure their entire infrastructure. Many vendors are now offering solutions to do this including using AI analysis and plenty of new and cool technologies. This handles the problem from the same end of the stick though, the attacker perspective by trying to understand what the attacker might do, and prevent the attack from happening. This is a never-ending battle, as attackers are smart, so they will continue to find new ways to get at an organization's infrastructure and data. On the flip side, we continue to spend more money building better walls and surveillance apparatus.
Data Security vs. Computer & Network Security
In order to solve this problem, we need to take a different perspective. We need to look at what we are trying to protect - data. If we can protect data, the walls become irrelevant. Do you know where your sensitive data is? Do you know where your sensitive data is stored? The large majority of data leaks reported to the federal government for HIPAA violations were leaked from servers by hackers or IT mistakes (like reducing security levels to apply a patch and forgetting to re-enable it).
With the explosion of unstructured data, and the growing adoption of cloud solutions, including file sharing and collaboration solutions, data is now in more and more locations making it harder and harder to secure. Just look at the Microsoft Suite: it started with Exchange and file servers, then Sharepoint, all three went to the cloud, and then add Yammer, OneDrive, and Groups. Now you can find data in a whole host of locations, and I haven't even mentioned Slack or Box.com. So how do we reduce our risk in light of this increase in sharing locations, especially when the weakest link is the user?
Secure your assets in 4 steps
I'd like to propose a 4-step process to solve the issue. The first step is to run a data audit (our data audit guide can help) to identify where your sensitive data lives. The second step is to decide the value of the data, and whether or not it needs to be secured or destroyed. The third step, remediation, allows you to change processes or train users on where sensitive data should be located. Finally, a monitoring program where you regularly audit your locations at low cost ensures that you continue to minimize your risks over time.
This four-step process will help you take a fresh perspective on security by looking at the data you care about instead of focusing your efforts on staying one step ahead of the attackers. There is no point in building a fortress with gun-carrying guards protecting the perimeter if there are stacks of cash all over the place. Why not take that money and put it in the bank?