The amount of data being generated in the world is growing at an exponential rate, with some predictions estimating it will reach 44 zettabytes this year – roughly 40 times more bytes than there are observable stars in the universe.
Much of this data has been generated as a by-product as technology advances and businesses pursue digital transformation strategies, and in many cases, organisations have sought to create and collect as much data as possible.
It has often been repeated in recent years that data is the “new oil”, the driving point of the global economy and the single most important resource that a business can acquire or generate. As a result of this credo, many organisations have spent years stockpiling vast quantities of data, often with no clear plan in mind for it.
This approach has begun to cause severe problems for most organisations. The relentless quest for data means that many firms now have huge amounts of information scattered across multiple locations, including third parties such as partners, service providers and public cloud providers.
As cybercriminal activity continues to escalate in both volume and sophistication, all of this errant data is increasingly at risk. Many organisations have little idea of just how exposed they are to cyber-threats until a breach actually occurs because they have no true understanding of their extended digital footprint. Worse still, these companies are oblivious to the fact that their valuable data has already fallen into the hands of criminals and is being bought and sold on the dark web as a commodity.
Why is implementing data management such a challenge?
A number of factors have converged to transform data management from being regarded as a back-end IT issue to a leading business concern. The steadily increasing number of serious data breaches hitting the headlines in the last few years has served as a wake-up call for many organisations, while the rest have had their hands forced by new regulations such as the EU GDPR.
However, the scope and complexity of the average organisation’s digital footprint means that ensuring data is protected and compliant is easier said than done. Over many years of conducting data audits, I have often found that businesses are overwhelmed by the scale of the challenge and have no idea how to begin. This is particularly true where firms must deal with multiple overlapping regulations – for example as well as the GDPR, they may have counterparts in different international territories and industry-specific regulations such as PCI DSS.
Added to this, most organisations are also suffering from a severe lack of resources. An on-going skills shortage means that it is often time-consuming to find experienced professionals for key security and data management roles.
Where to begin?
The first question any business should ask itself is “why do we have this data?”. Firms need to take a step back and assess why data was collected, and what purpose it actually serves. Contrary to the previous few years of collecting data by default, businesses should now be looking to delete any unnecessary data and reduce their digital footprint wherever they can to minimise their exposure to risk.
However, trying to reign in years of data scattered across multiple third parties and different generations of technology can seem like an overwhelming task, and the truth is there is no quick fix.
Automation is often held up by the IT industry as a magic button to fix all of these problems, but it is impossible to apply automation properly without an underlying knowledge of the problem at hand. As Bill Gates once put it, “automation applied to an inefficient operation will magnify the inefficiency”.
Like any seemingly insurmountable problem, the key to getting a handle on an overgrown digital footprint is to break it down into manageable chunks while focusing on the desired data policy outcome. Taking that one step further, a more realistic assessment of data security policy can be obtained by shifting the analysis to the security controls that need to be in place to protect collected data. For companies that feel completely lost, there are multiple frameworks available that will provide them with a defined starting point and guidance for a series of achievable data security control milestones that will get them on track. The NIST Cybersecurity Framework, ISO 27001, CIS CSC 20, and even the PCI DSS are just some of the options available.
Whatever guidance they choose to follow, the objectives are the same. Organisations must work towards gaining a full understanding of what data they have ownership of, where it is located, and what measures are in place to protect it from misuse and comply with any relevant regulations and laws.
Once this is fully understood, organisations can then develop data policies and security controls to safeguard their information. It is at this point that automation will become valuable, as solutions can be applied to automatically apply policies across the entire digital footprint and implement measures for predicting, detecting, and responding to threats.
Taking a proactive approach
Managing data – and cybersecurity in general – often ends up being a reactive process. Firms will discover a malware infection or attack attempt and work to mitigate them for example, or will implement new controls in response to regulatory demands.
However, once an organisation has implemented a consistent approach to data management and securing its digital footprint, it should be ready to take a more proactive approach. This includes carrying out continuous risk assessments for all assets, including all third parties that hold data or have access to the network. Proactively seeking out risk will enable a company to take the initiative and get ahead of the problem, mitigating the chance of incidents occurring and creating a state of continuous compliance while lowering liability.
As part of this mindset, companies can also go a step further and proactively search for traces of their data that may already have been breached. Discovering that a set of customer databases have been stolen from a third party and are available on the dark web, for example, will enable a company to take control of the situation. While there will always be fallout when a breach occurs, this scenario will lessen the impact from both regulators and any customers that had private information leaked. Further, there are advanced solutions that can not only detect previously stolen data online, but actually take it down, reducing the chance of the incident escalating further.
After years of building tangled and unaccountable webs of data, regaining control of their digital footprint still seems like an impossibly large task for many organisations. However, by starting with the basic question of why data has been collected, and moving through steps to account for data and implement proper controls and processes, businesses take back control of their data. From here, they can take the lead and proactively face any threats that come against them.
Chris Strand, chief compliance officer, IntSights