The security of sensitive data will be at the top of the C-suite’s agenda as we reach 2017. High profile data breaches continued to make headlines throughout 2016, sometimes with devastating consequences to both company reputation, finances and customer trust. Cybersecurity has been reprioritised because decision-makers and executives have witnessed the negative effects that can significantly impact the bottom line and future profitability.
Security resilience has to begin with managing the proliferation of data that shows no sign of abating. To protect its most sensitive information, a holistic information management strategy should be at the core of every business. Future decisions have to hold far more recognition of how content is managed and governed, with the ultimate aim of eliminating data-hoarding.
Investment made by CISOs will shift more toward granularly identifying information vs. parametric measures. Depending on your business, digital information on average is doubling every three to nine months. The knee-jerk reaction to burgeoning data is to protect all that ‘stuff’: contain it behind hyper secure firewalls, deploy DLP (data loss prevention/protection) technologies at the parameter and key core switches, leverage active packet inspection technologies at the parameter, and lock down USB ports. These are all good countermeasures that help partially solve the issue, but they don’t prevent it. In 2017 and beyond, you will see a more deliberate movement by CISOs toward first identifying what exactly it is they are securing, and assigning security levels to that content.
This change in how data is governed will clarify what content is sensitive and what is not, making it easier to assess the extent of the damage if a breach occurs. This isn’t about locking down more data to make it unusable – rather, it’s about making the data usable with pervasive, invisible governance around it.
Waking up to the risks of redundant, obsolete and trivial (R.O.T) content
As enterprise content ages, its value to the business declines, and the risk that content poses to the organisation also goes up. Studies have shown that up to 70 percent of data in an enterprise is R.O.T. which represents a large vulnerability. For example, in Edward Snowden’s case, the documentation he uncovered at work was largely made up of archives and wasn’t particularly relevant to Booz Allen, but it was extremely relevant and damaging to the US Government.
The archives contained sensitive information and Snowden’s employer clearly didn’t have the proper internal content controls, policies and procedures in place; that has been a loud and clear lesson for CISOs that previously didn’t invest significantly in content lifecycle management. All of the information being created can’t just linger indefinitely without posing future risks. You have to ultimately make the choice to categorise and delete some of it, particularly if it is not of use. In the information management discipline, it is a well-known fact that as content ages, its value to the corporation decreases and the risk increases by an exponential factor.
The rise of ‘applied governance’ to unstructured data: Earlier this year, more than 20,000 pages of top-secret Indian Navy data, including schematics on their Scorpene-class submarines, were leaked. It’s been a huge setback for the Indian government. It’s also an unfortunate case study for what happens when you lack controls over unstructured information, such as blueprints that might be sitting in some legacy engineering software system.
Now, replace the Indian Navy scenario with a situation involving the schematics for a Nuclear power plant or consumer IoT device, and the value of secure content curation becomes even more immeasurable. If unstructured blueprints and files are being physically printed or copied, or digitally transferred, how will you even know that content now exists? Also, as more industries move towards digitisation, physical content will not simply disappear, and there must be a way to keep a record of it, as it will still hold value. Tracking this ‘dark data’ – particularly in industrial environments – will be a top security priority in 2017.
Unfortunately, cybercriminals are becoming more sophisticated and organised when it comes to malicious attacks and employ a range of tactics to ensure maximum disruption and financial gain. In order to fortify defences and remain resilient in 2017, rather than just implementing additional parametric security measures to protect all data, companies should start to carefully examine and qualify their content to determine what is sensitive and valuable.
More resources must be devoted to assessing and organising all content (not just digital, but physical records that still hold value), and proactively removing data that is no longer relevant or important.
Businesses will be in a better position to withstand and mitigate evolving threats by adapting this approach in the New Year.
Image Credit: ESB Professional / Shutterstock
Ankur Laroia, Strategic Solutions Leader, Alfresco Software