In 2016, over $18 billion was spent on cybersecurity. It's estimated that almost a trillion dollars more will be spent over the next five years. Despite this, research shows that the problem is getting worse. Data breaches are at an all-time high, and the fierceness of these attacks has never been greater.
The reason is not that we're unable to develop smarter, better technologies to secure our data but that we use these technologies in a scattered and siloed approach. Also, we fail to leverage most companies' greatest asset — their people.
Protecting data has always been a challenge, but there are a number of reasons why it's becoming harder in the digital age.
- Digitization of information: Unprecedented amounts of data are now online. If you were to put all the data on the Internet on CD-ROMs and stack them on top of each other, they would bypass the moon. And this is doubling every three years.
- We value convenience over security: The human tendency is to trust people. We share passwords, click on links when told to, and volunteer too much information on social media. Many people still use the same password for all their apps, making it simple for hackers to gain access to our accounts.
- The anonymization of hacking: Hackers don't have to be sophisticated to hide their identity for most attacks. Only a small percentage of cybercriminals are ever identified, let alone caught. Even when they are caught, they're often beyond the reach of local law enforcement.
- There is no adult in the room: Despite what people generally think, there are surprisingly few regulations that force companies to take reasonable steps to protect their data. Even in areas such as healthcare, regulations like the Health Insurance Portability and Accountability Act lack clarity and are insufficiently enforced. In 2016, more than 27.3 million patient records were breached, but despite this, the Office for Civil Rights (the healthcare security and privacy regulator) settled alleged HIPAA violations with only 12 healthcare organizations. Outside of areas like healthcare, finance, government, etc., most federal security enforcement has defaulted to the Federal Trade Commission, which uses an arcane statute of the Federal Trade Commission Act that prohibits unfair or deceptive practices in the marketplace. This means that only the most egregious violations are penalized, leaving implementation of effective cybersecurity to the discretion of most business leaders.
So, in the absence of enforcement, what should we be doing?
- Understand what data you have. This applies to all data, not just valuable data. By classifying data by sensitivity, you can focus your efforts on protecting the most valuable data. This reduces the inconvenience and cost of trying to protect all data.
- Know where your data is. Data is not a physical object that lives in one place. For example, the moment you view a Web page, you're already duplicating it on your browser. There can be many copies in both storage and in transit at any given time.
- Know who has access to your data. This includes both theoretical and incidental access. For instance, if someone doesn't have physical access but is authorized to request data to be shared with them, that's theoretical access. Likewise, if in the course of someone's duties it can be foreseen that they may come into access with data, then that is incidental access. In all cases, it is important to understand who has access and what level of access they have.
- Know what they're allowed to do with the data. Access to data must come with rules of use to ensure the data isn't shared or exposed in an unauthorized way. What's to stop an employee from publishing a private document on the open Web exposing sensitive data unless it has been made clear that this would be a violation? In addition, just because an employee has access to data doesn't mean they should access it.
- Know how the data is being protected from unauthorized access. To understand this, you first need to address all the points above. The type of data, where it is stored, and who needs access will determine the tools that need to be deployed. The level of encryption, physical security, access management, and identity protection are all valuable tools, but if they only protect one version of the data, then they become ineffective.
Unfortunately, most companies start straight at #5. They select hosting providers, encryption methodologies, and sophisticated cybersecurity tools before they truly understand what they should be protecting. They often spend tens of thousands of dollars on sophisticated cybersecurity tools but neglect the most critical part: people.
Most of the biggest breaches of the last few years have been unsophisticated exploits — e.g., the US Office of Personnel Management, Anthem, Sony, and so on. I believe the most effective defense is to engage the workforce. By making sure employees understand where data is, when they should access it, how it should be used, and how it's being protected, they can become your front line of cyber defense.
Annual training is not enough. Implementing cumbersome processes that make tasks more difficult without explaining why won't encourage adoption. An invested workforce is much more valuable.
In summary, there are many great cybersecurity tools available today. But the greatest tool of all is your employees. Engage them effectively and you will not just make your company more secure, you may even save some money.