DXC Technology recently sponsored a cyber security survey and report by Harvard Business Review (HBR) Analytic Services that asked executives at organizations around the world how they are responding to the latest cybersecurity challenges such as remote work and an expanding attack surface. In the area of data protection, 52 percent of executives listed “data theft” as their top concern. DXC’s Data Protection Leader Uwe Woehler shares his insights on how companies can mitigate threats to data.
Today’s organizations face a data dilemma. Trends such as digitalization, cloud migration, remote work and bring your own device (BYOD) have resulted in large amounts of data no longer under the organization’s physical control. Sensitive information that was previously accessed through trusted networks is now accessed from a wide variety of private devices and unsecured networks. The ability to download and share at will makes valuable corporate data a moving target for opportunistic cybercriminals.
Clearly, companies recognize these vulnerabilities: About half of HBR survey respondents said detection and prevention of data theft is a “high” or “very high” security concern. But data access and functionality were a higher priority than security. In fact, when the organization expanded the collection and use of data, only 34 percent said security was incorporated into the projects every time or nearly every time.
Securing a moving target
Given these challenges, how do companies manage and safeguard their valuable data from opportunistic threat actors while keeping data readily accessible to employees, customers and partners?
In this environment, securing data by traditional methods — hard corporate network perimeters, VPNs and trusted devices — is no longer relevant or effective. Organizations need to shift their focus from protecting locations and devices to protecting the data itself. Methodologies such as Zero Trust can assist with this shift to perimeterless security, but today’s challenges also require a more systematic data protection and management methodology.
Get to know your data
To adopt a data-centric security approach, you first need to discover and classify your data — identifying what data you’re using, where it resides, how it flows through the company and where your vulnerabilities lie. You may employ the assistance of vendors, standard methodologies and automated tools to perform the discovery more efficiently. In the past, discovery and scan agents had to be installed on multiple points within the company infrastructure, but today you can use the built-in architecture of cloud providers such as AWS or Microsoft Azure to discover, classify and protect data.
A layered approach
The initial data classification should be performed by a data governance advisory team with the involvement of your trusted vendor(s) who can ensure that you have an integrated approach to data governance, data protection, infrastructure protection, identity management and risk management. In this stage, you begin to divide your data and infrastructure into classes based on level of sensitivity, internal vs. external users, managed and unmanaged devices. You may have a few sensitive data classes that can only be accessed by an internal user with a managed device, or data that can only be handled in house or by your own trusted partner tenants. This may be a time-consuming and exhausting process, but it’s more than worth the time investment.
Once you understand the relative value and sensitivity of the different sets of data within the organization, you can begin to assign different data access rules and protection methods accordingly. When these data governance tasks have been completed, you’re well on the way to a sound architecture for data loss prevention.
Good security doesn’t sacrifice usability
Of course, once you’ve assigned and implemented your data access rules, your users must be able to access the data easily. It can be tricky to hit the best balance between security and usability.
High levels of data protection such as private/public key paired encryption are necessary and appropriate in cases where the consequences of data loss would be dire. I’ve seen examples in many industries of single documents that could destroy whole departments if they became public. If not properly protected, critical information from human genome codes to credit card numbers could be shared with a competitor in a quick email.
Strong, multifactor authentication is also a key part of data defenses. I’ve also encountered a situation where an employee working from home on an unmanaged device downloaded hundreds of thousands of company documents, then forgot to delete them before he sold the device. The buyer then found the data and made it public.
On the other hand, you don’t want your salesperson who is about to give a presentation for a billion-dollar contract to be unable to access his files simply because he’s in another time zone and can’t find a manager with the key to unlock the data.
Around 90 percent of the average organization’s data can be protected through simple data loss prevention techniques rather than the more restrictive methods. There’s some middle ground data that may need to trigger an alarm and be blocked if it’s traveling externally to the wrong locations or recipients but can be reclassified and sent out. However, for the most sensitive data, encryption is the safest method because a user cannot copy or share data without getting the permission and key from an authorized person.
Cloud and security
While sharing data in the cloud has historically been considered a threat for security or regulatory compliance purposes, cloud-native architectures in fact offer significant advantages in terms of automated security tools. This integrated, ready-to-use functionality provides better protection than installing numerous individual tools and sensors on different systems on premises; it typically requires minimal adaptation for the individual company’s needs and can then be supported and monitored on an ongoing basis.
In essence, you can protect against cloud threats with cloud methods. For data with restrictive compliance requirements (on site, within country and so on) specialized methods such as public key encryption can be used to enhance cloud security by allowing data to be opened only with a second, authorized user key.
What lies ahead
Once you’ve gone through the comprehensive process of discovery and classification, you’re in a good position to protect your data in a manner that aligns with your business priorities. But with the immense volumes of data managed by most companies today and the increasing velocity of attacks on data, it’s good to have more tools in your arsenal.
In addition to the cloud-native tools we’ve discussed, some of the emerging automated and artificial intelligence (AI)-based tools offer great potential for strengthening data protection.
These tools can not only assist with data discovery and classification but can detect suspicious patterns or vulnerabilities such as users accessing data from unusual locations at unusual times, or thousands of data sets copied on a USB.
While most companies are just getting started or are planning to implement some AI/machine learning functionality in the next year or two, I believe an AI-based focus will become more prevalent in the future: Attackers are very creative and more than happy to take advantage of these new technologies, so your defenses need to keep pace.
Get the latest threat updates
Protect your enterprise. Subscribe to DXC's monthly report on the latest threats, breaches, cybercrimes and nation-state activities.