There is no denying the fact that over the past few years, data breaches have increased in frequency and size, making the need to protect sensitive information a top priority for businesses worldwide.
The long list of companies targeted and exposed in the last 12 months includes big names such as Kickstarter, Tesco, Morrisons and Target, to name just a few. The reality is that even the bigger players with more money to invest in security are not necessarily better protected. Since 2013, more than 2 billion data records have been either stolen by cyber criminals or lost due to negligence. We now measure the records lost in each data breach not in the thousands, but in the tens of millions.
But when we compare this reality to organisations’ data security investments, the contradictions are stark. Despite the increasing scale and sophistication of data breaches, companies still continue to invest the majority of their IT security budgets in the same perimeter security defences they have for years. When surveyed for SafeNet’s Data Security Confidence Index, a whopping 93 per cent of IT professionals said their organisations’ investments in perimeter security has either increased or stayed the same over the past five years.
But here’s where it gets interesting. Although nearly three quarters of IT professionals believe their perimeter security measures are effective at keeping out security threats, 40 per cent believe unauthorised users are able to access their networks. In addition, 60 per cent are not confident in their ability to protect their data after a breach occurs.
This shows some very obvious disconnects between what is perceived to be effective data security and what the reality is on the front lines. Although there is an over-reliance on the perimeter, more than two thirds of IT professionals in the Index admitted that either their perimeter had been breached or that they did not know if it had been breached. More telling - 25 per cent said they would not trust their personal data with their own companies.
Spirits overall are waning. More than one third of IT professionals admitted that their confidence in keeping hackers and cybercriminals out of their networks has fallen over the past year, and the same amount said they do not feel their organisation has the security capabilities to keep up with emerging threats and technology solutions. Yet, 70 per cent believe their organisations’ investments in security go to the right technologies.
The sad truth is that it does not have to be this way. The new reality is that conventional data security has gone the way of the dinosaur. While today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, content filtering, and threat detection, history has taught us that walls are eventually breached and made obsolete. So what can companies do to protect themselves and guarantee the protection of data as it is used?
Simply putting up a wall around the data and standing watch is no longer enough. The data security perimeter hasn’t existed for a long time -- data moves and is stored in many environments with varying degrees of security. Plus more individuals have access to that data from multiple access points, with recent data breaches revealing that it was third party vendors that were the weakest links.
In this context, companies should assume that prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security that can defend data once criminals get into the network. Organisations must move to a framework that is centred on the data itself, by providing a protection that stays with it, no matter where it is being sent, such as encryption. With encryption, companies can maintain control of their data, even when it is deployed in the cloud or in their datacentre. By moving security controls as close as possible to the data, companies can ensure that even after the perimeter is breached, the information remains secure.
This means companies must view the protection of sensitive data not as a compliance mandate, but as a responsibility essential to their success. Meeting the minimum legal requirements is no longer enough. If a breach hits and a company has encrypted all of its data, including financial and customer information, it will maintain business and customer trust in its brand.
In fact, companies can even increase customer trust by telling clients about the security measures that they have put in place to protect their data. Larger online companies are now much more transparent about what they are doing to protect customer information. By being open about the efforts they are making with regard to data protection, like encrypting data end-to-end, they are being perceived as trusted innovators. Companies can take this a step further and, as well as informing customers about what they are doing to protect them, can also tell them what to do in order to protect themselves and become safer consumers of services.
With the help of their IT professionals, it is ultimately up to the companies themselves to maintain and monitor perimeter defences and use intelligence to better inform who can or cannot access the data or when and by what device. Stronger access controls with multi-factor authentication and data encryption are needed as part of today’s data security strategies, as they are the last lines of defence for any company.
As hacking attempts become almost a daily occurrence, being breached is not a question of “if” but “when”, so best-practice data protection is vital. Just as criminals have become more intelligent, so too must data security strategies. This means adopting a ‘secure breach’ approach to data protection which focuses on protecting sensitive information wherever it exists, even when it is located in an uncontrolled, untrusted environment, and limiting access to this data.
With threats changing daily, companies need to take a multi-layered, dynamic approach to data security which will allow them to be safe in the knowledge that their data is protected, whether or not a breach occurs.