Data Security: the threat is inside the company (part I)

DATA MANAGEMENT GAPS THAT CAN DERAIL STRATEGIC ENTERPRISE OBJECTIVES

Data is the lifeblood of the modern enterprise and underpins most strategic business decisions a company makes. As such, organizations constantly work to maintain high levels of data security and protect valuable data assets. While most defensive efforts are applied to outside-the-firewall threats, inside-the-firewall data access can create equal risk—making database access authorization one of the most critical components of information security and risk management.

This source of corporate vulnerability is quickly rising to a top security concern. As such, C-level business executives and CISOs need to strongly consider supporting adoption of new data access management tools and methods that will help them understand and measure where exactly their data is, how it is accessed and by whom, how much data is downloaded, when and from where. This is not fundamentally a technical issue¾it impacts business liability, compliance and productivity as well. And it is no longer optional.

WHO IS ACCESSING YOUR BUSINESS DATA?

Virtually all organizations are struggling to keep up with controls around their data. But a three-part challenge is creating major complexities and risks at levels that we have not experienced before:

• In a fully connected digital world, adversaries are becoming more sophisticated in their vulnerability exploits. In addition, state-sponsored attacks are becoming the norm.
• Several business functions have found new value in large stores of enterprise data, and are demanding it at an extremely fast pace. Marketing teams are aggressively trying to find ways to produce more leads, while operations teams use data to provide a better customer experience or innovate cost reduction practices, and financial teams use data to prepare better budgeting. Shadow IT is being used aggressively because IT functions cannot keep up with these teams’ needs while also maintaining proper compliance. Further, customer data has actual and often significant value. Companies like Facebook and Google have created a market to sell access to or use of that data, and companies are collaborating in new ways to combine data and identify digital synergies.
• Many new regulatory efforts are enforcing the application of basic data security principles. More than ever, government entities are imposing responsibilities on data owners. In addition, frequent data breaches are raising the bar on what can be defined as “standard of care” principles that regulators and courts expect organizations to institute and maintain. So when breaches happen, not only will regulators ask questions about the breached data, you will also have to prove that your organization made all reasonable efforts to avoid being breached in the first place. That requires demonstrating how you are meeting these standard of care expectations.

As time-deprived teams hustle to execute business objectives, instant access to data has become a default expectation. But there is a careful balance needed between pursuing enterprise objectives set at executive levels and correctly managing data access in highly complex environments with users moving at a business pace.

That needs to be reconciled with the additional balancing act of senior leadership continually weighing the costs of a potential breach with the costs of compliance. It is well known that cybersecurity budgets have skyrocketed in recent years and will only continue to increase. Yet with the bulk of resources being directed toward outside-the-firewall protection, IT teams are generally just maintaining basic internal data controls.

It remains technically challenging to translate the risks and appropriate protections associated with all of an enterprise’s data to the bottom line concerns of the C-level. It is incredibly complex to manage who needs and has access to data beyond the application level. Typical security tools like firewalls, load balancers and other network protections simply do not prevent inside threats.

(to be continued)

Browse our Corporate Presentation 2020 and find how we help companies world-wide to “embrace the good side of risk”.