We are living in the age of data. Every business processes at least some data with varying degrees of complexity, in one way or another, however, despite the rising importance of data, we are not really seeing a proportional increase in data security. Consequently, the Verizon Business 2021 Data Breach Investigations Report revealed that the number of data breaches has increased by a third as companies are migrating to the cloud at a faster pace due to the COVID-19 pandemic. Even as more businesses resume more normal operations, data security absolutely must not take the back seat to productivity or operational agility.
When hosting data online, organizations should remember that even if you put the proper mechanisms in place, a large proportion of the information stored in the cloud is not adequately protected under default security controls. In some cases, developers may leave sensitive information in a public GitHub repository. This potentially consequential oversight, along with lax security controls on internet-hosted databases, means that if not properly audited, sensitive data actually can be indexed by Google’s public search engine, or even a database port that allows access to information through a browser might be exposed.
In the digital age, practically everything can be found online, and most sophisticated data breaches originate from an exposed repository or database in plaintext or with a secret key on GitHub. These inadvertent exposures are generally the direct result of human error, rendering cybersecurity investments redundant. As a matter of fact, a majority of cybersecurity incidents are a direct cause of human oversight and common mistakes. For example, Google’s public search engine itself can index and display sensitive information, which can lead to subsequent breaches.
One of the key lessons that we learned early on is that the impetus behind most data processing systems is thousands of lines of complex code. These often-expensive software solutions are generating and managing complex data-oriented tasks, and many CISOs will point their fingers at the code (or an unfortunate intern) following a data breach, but this is rarely the case. The code that makes up data security software is one of the most sophisticated aspects of your infrastructure. If you look at the biggest data security incidents, many start with the simplest attack vector: social engineering or human error.
How can enterprises use tools to manage risk?
This raises the question: what can we do to protect the sensitive data we've been entrusted with? Every organization, no matter the size, is going to lose track of data, and more importantly, highly sensitive data containing potentially valuable information that threat actors covet. Regardless of the IT processes that you have in place, the exposure of sensitive personally identifiable information (PII) or business secrets has become a true reality.
The first step to ensure that your data remains secure is to understand what iterations of data you truly have. Ask yourself: does your enterprise have a clear definition of what sensitive data is to your company? If the answer is yes, then you are in a good place to start implementing company-wide data security controls and methods that actually protect the data itself, rather than just erecting (ultimately porous) walls around data storage repositories. We call this approach data-centric security.
Look no further than the ever-expanding IoT infrastructures when considering the constantly growing attack surface of modern organizations. Think of the images on your phone, tablets, or computers. These devices are a wealth of information, and the digital age has allowed practically unlimited reproduction and duplication of data to occur. Are you certain that you can trace your data or who has come into contact with it with precision and certainty? Understanding this data discovery and lineage process is essential for organizations to put together a data protection policy, because to put it bluntly, you can’t protect what you do not know exists.
Enterprises absolutely need to utilize the proper tools that leverage automation and intelligence to find and understand the data and let that discovery define protection controls downstream. Data-centric security is a very good place to start when considering ways to prevent a data breach, but an even better starting point is to know what data—and the level of information sensitivity—your organization possesses before you begin to consider what type of data-centric security is most optimal.
