Despite many organizations’ significant cybersecurity investments, sensitive data breaches continue to occur at an alarming rate and have a devastating impact. There are many reasons why these breaches and corresponding effects continue to occur, such as the quickly rising rate of data collection and increasing storage, business and technology innovation (e.g., the Internet of Things and cloud computing), the extended enterprise, inherently flawed technology, and the reliance on outdated security standards and corresponding controls that can’t keep up with attack vectors. Cyber attackers are extremely skilled, well funded, and organized. If an organization has something desirable (such as personal information and intellectual property), attackers will stop at nothing to get inside.
Organizations need to fundamentally change their approach to data protection. For decades, many organizations have spent their time, money, and resources on traditional approaches to data protection and corresponding controls (including identity and access management, vulnerability management, and application security) with the intent of keeping cyber adversaries out of their network and applications and off of their infrastructure. However, breach trends show that although these fundamentals are necessary, relying solely on them isn’t enough and doesn’t work. Organizations need to acknowledge that their cyber adversaries can reach their most sensitive data, and focus more of their time, money, and resources on solutions at the data layer itself.
Data protection from the inside out doesn’t mean that traditional data protection capabilities aren’t necessary or that we should throw our hands in the air and quit. Organizations must continue to implement and maintain these basic capabilities. However, these traditional data protection measures need to be viewed as more of a deterrent to cyber threats than a complete fix. As an organization, view and treat your cyber adversaries in the same way you would treat a common criminal on your own.
For example, common criminals are less likely to break into a house with basic security measures (locks, fence, alarm system, camera/surveillance system, dog). However, if you have something they really want (say, jewelry), are these measures really going to stop them from getting in? No, a determined and sophisticated criminal is going to spend the time and money, and work with the right team, to get into the house and find your valuables. However, as an additional measure, you could store your valuables in a secure safe within the house. That would help protect your valuables “from the inside out.”
Inventorying and classifying sensitive data and assets, as well as maintaining the inventory, is the foundation of your efforts, and incredibly important to data protection. However, many organizations either don’t have an inventory; think they have one, but in reality don’t; or create an inventory without a means to keep it up to date and accurate. Not to oversimplify, but you can’t protect what you don’t know you have. You can’t universally apply data protection capabilities and technologies (e.g., encryption) to “all” of your data because of the cost, and the effectiveness of some data protection solutions (e.g., data loss prevention) is limited without data classification.
Implementing data protection capabilities at the data layer can help to both prevent and detect data breaches at an organization’s last line of defense. These capabilities include preventative solutions such as information rights management, as well as detective solutions such as data loss prevention, data access governance, and database activity monitoring. The adoption rate of these solutions seems to be relatively slow, and even when they’re implemented, their full capabilities often aren’t utilized.
Reducing the value of sensitive data is perhaps the most important principle, and it’s based on the premise that it’s not “if” but “when” a data breach will occur at your organization. One way to reduce the value of sensitive data is to encrypt, tokenize, or obfuscate the data to render it difficult to use when compromised. A second way to reduce the value of sensitive data is to securely destroy it when it’s no longer necessary for legitimate legal or business purposes.
Protecting sensitive data is a complex challenge that requires a holistic and comprehensive data protection strategy, executive support, and investment of time, talent, and funding. Implementing individual data-centric solutions in a siloed manner, and without integration, can lead to critical gaps in an organization’s security. Traditional measures alone are no longer sufficient, so it’s time to change the game.
Dan Frank currently leads Deloitte & Touche LLP's Privacy and Data Protection service offering in North America. His professional experience includes 19 years in privacy, data protection and cyber risk management. He has helped numerous organizations with various aspects of ... View Full Bio