In the world of IT, security is one of its pillars. Today, saying that your company or business is totally secure is a luxury no one can afford. Security always was and will be a constant battle between you and the bad guys.
IT security used to be well defined. But that was decades ago. In ancient IT history, you would separate the network into different perimeters and put everything that mattered behind closed walls protected by a firewall. The real danger (and dragons) remained on the outside. But then, businesses required users to connect to the company network from the outside. Technologies like VPN and two factor authentications emerged. And the security aspect of things still worked fine. That is until the clear division about the inside/outside world couldn’t be considered anymore. Today, it seems that users, connections, devices, and data are everywhere and IT security has turned into a nightmare. Or did it?
Data classification challenge
Companies have always protected the data that was “mission critical”. Data labeled “top secret”. But today, we are faced with a big data problem, putting everything behind a (fire)wall simply doesn’t work anymore. We must ask ourselves: does all the data even need the best possible protection? What happens if somebody discovers our data or even takes it from us?
The first challenge just presented itself: we need to classify data. Believe me – it’s a big challenge. All data isn’t of the “top secret” variety; it can’t be, as this would hinder its business use as well. The trick is to clearly and correctly assess the risks involved. If somebody steals our public data, we don’t care. If we lose old data that is no longer of great use to us we don’t care (much) either.
The challenge of effectively securing data lies with recognizing and understanding what truly matters. Securing all of the data at all costs is (too) expensive. Since we have classified the data, we should know what really matters to us and focus our protection efforts there.
How much is my data worth?
Standards like ISO27001 help companies with securing its data and IT assets as well as classify data. After the company figures out what data is public, internal, secret, or top secret, it is time to figure out just how much its data is worth. If my data is worth €10,000, for example, no one will invest more than that trying to steal it. Always keep this perspective in mind.
Who can make money from my data?
When thinking of data protection, one must think like a criminal. Who is interested in my type of data? How can they make money from it? How much time/resources do I have to invest?
The firewall barrier that used to separate the inside and outside environment is no longer enough. The IT perimeters is just everywhere. People want to work from everywhere and access their data and that makes it a lot more difficult in terms of protecting the data. The data is in the cloud, on laptops and smartphones… People lose those – and the attacker has “unlimited” time to use brute force on these devices to break passwords and encryption (if it is even there).
To best protect business data, some rules must be enforced. Not all data can be accessed from all devices and connections and stored just about everywhere. Passwords and encryption must be strong. Even if this hinders the user experience a little. That is the end user’s part of security being a compromise.
You’re up against everybody
But the biggest pain in modern businesses is the hackers and targeted attacks. Data breaches have proven to be (extremely) costly. Today, there are no more companies that haven’t been compromised. Maybe they just don’t know it yet. It scares me when I realize that companies of all sizes only figure out on average after more than 144 days that they were breached. Hackers only need hours not days to steal the data. 144 days is a luxury for them. They could as well just shut down the company if they wanted to. But since they are “a responsible parasite” they won’t just kill its host that is prepared to generously award their efforts and hope to get (all) the data back.
It is not just the cybercriminals that companies should worry about. There is industrial espionage. Even your own country (and just about all others) will try to gain access to your systems and data. It is hard to defend against an army of highly skilled professionals – no matter where they come from. And they have the means to break us – maybe they have acquired them in the dark parts of the Web or just “borrowed” them from the likes of NSA and CIA. Nobody and no data is safe today. Remember that.
If your data is worth a lot, you will be hacked/breached sooner than later. And the attackers probably won’t come through the front door since there are plenty of back doors and cracks in the security armor to choose from. And in case those fail, there are always social engineering techniques that have bested all the tech stuff before.
What can we do to protect our data?
The solutions depend on the size of the company. Small companies should just move their business solutions and data to the cloud and choose a service provider that excels with IT security. Medium and large companies must get their data houses in order and apply security solutions in the right manner. Those who can afford security solutions that check users, devices, and network activity with behavioral analytics will be better off. Having dedicated security experts on board is costly but also effective. Complementing them with artificial intelligence and machine learning solutions helps a great deal.
All companies must realize that users are the weakest link in the security chain. They must start educating their employees about the dangers of the digital world. Just about every data breach starts with a phishing attempt.
When was the last time you defined and thoroughly checked your IT security processes? Your goal should be to set the security bar as high as possible with the limited resources you have at your disposal.