Where do we start?
Almost all businesses and organizations are producing more amounts of data than ever before. IBM says, around the world, every day we create 2.5 quintillion bytes of data. (What is big data?) Data comes in many forms – digital devices produce responses and metrics, companies have more and more databases with customer information, employee records, healthcare records, payment data, research data, and more. Even emails, files, and other media containing data are being produced in large volumes.
Data is basically generated and gathered from, well, almost anything.
Much of the buzz lately is about IoT or the "Internet of Things". IoT represents any device that produces data - smartphones, watches, refrigerators, toasters, even electronic sensors at power plants or on train tracks – you name it. These devices can typically collect and connect so that the data can be accumulated and analyzed. IoT already creates huge volumes of data and by 2020, there will be around 25 billion connected ‘things’ according to Gartner (How much Data Will The Internet of Things (IoT) Generate by 2020?).
So what is the concern - why is data so important?
People are no longer considered the only asset to your company - Data is now considered a top asset as well. Data can be used to analyze the efficiency of your business processes to possibly save money; Data can be used to save lives or to predict when something bad (or good for that matter) might happen; Data can be used as input for machine learning or Artificial Intelligence (AI) for advanced decision making. Data can be used to make a difference in your company, and in the world!
But, with all that data that is generated, it is also valuable to criminals. Almost any kind of data can be sold on the Dark Web for money or other things. For example, valid credit card numbers sell for an average of $7 each (A Darknet Site Currently Offers Credit Cards) and even US Tax W-2 records are available for up to $20 each (Shopping for W2s, Tax Data on the Dark Web). Hackers and cyber criminals are looking for ways to infiltrate organizations to obtain and steal data.
Data breaches and theft are one of the major challenges for businesses and there are numerous statistics and reports around the mechanics and repercussions of data breaches (Data Breach Statistics ). As data volumes continue to grow, keeping data safe (especially the data that can be held for ransom by an attacker, or data that can be used to harm people) is vital, and companies are deploying many safeguards to protect it.
Recently, I got a chance to ask a room full of CXOs some questions pertaining to data security, when I attended a small conference focused on round-table discussions among more than 40 current and former CXOs, EVPs, and Board Directors.
"Does Cybersecurity have your Board’s attention?"
Having cybersecurity on the Board of Directors’ agenda is one of the top objectives to meet as more funding can be allocated to defend against cyber-attacks. The overwhelming response was "yes" as cybersecurity was considered one of the top items of discussion in Board meetings. Many CISOs and CIOs were in the process of educating the Board on current and key cybersecurity attack vectors, what data security technology is available, risks from regulations that perhaps were not followed, and were taking board members down a journey highlighting their efforts to prevent cyber-attacks (or minimize damage as a result). "Keep the message simple and not too technical" was the best way to get the Board to pay attention and to make decisions in this area.
"How much money are you investing?" "Well that’s a loaded question!" another Executive told me. He shared a conversation he had with his CEO – "How much money do you need to ensure we don’t get hit with a cyber-attack?" His answer was – "No amount of money can (realistically) guarantee that a company will not experience data loss or denial of service due to a cyber-attack." It is not a matter of IF a company will be attacked, but WHEN. The most companies can do is minimize the affect by putting in place the best solutions and policies to increase their security posture to reduce the likelihood of an attack or reduce its impact on the business.Regulations help provide a guideline to what to do, as well as talking with others in the community about the methods they are using.
"Take a Pragmatic Approach" said a CIO, who shared the same sentiment as mentioned above. He asked his CISO, "Are you putting in place the proper controls and defenses that make sense for the type of data and infrastructure we have?"
Simply doing nothing, or taking the cyber risk, was not an option, but as long as a reasonable effort was in place that makes sense and that doesn’t require a massive amount of restructure or change, their company would be satisfied.
"Completing a Security Assessment" is a key step, said a CIO from a consulting company. You can’t secure data unless you know what data you have, where the data resides, and who has access to it. Even fully understanding how your 3rd party vendors interact with your technology is a critical step, since several large-scale cyber-attacks in the past were a result of 3rd party vendor access (Case Study pdf: Critical Controls that Could Have Prevented Target Breach). Completing a Security Assessment not only identifies the security gaps that a company has, but can also identify what effective policies and controls are in use. This assessment can help companies know where they stand today, and possibly how well they can defend against cyber-attacks, or simply how they meet security regulations.
It’s apparent that data protection and cybersecurity are hot topics in most organizations today. Finding and deploying the right solutions that fit your organization, and meet your cybersecurity requirements are imperative to keeping the objectives of the Board of Directors satisfied, and for keeping the overall data in your environment safe from attackers, no matter how much of it is created! Doing the right thing quickly and efficiently when it comes to defending your business against cyber-attacks is the best you can do.