Data Security – An Ever Present and Growing Concern
I mentioned in my recent post (Key Factors for 2022 Data Management) that digital security is an ever-present and growing concern. It has become a global risk for businesses, governments, and individuals. Fortunately, most of us are aware, at least to some degree, of the risks surrounding compromised data, but over the past two years, we have seen emerging trends and increasing capabilities that are pushing these risks to a whole new level.
One prime driver of increasing risk is the amount of data that exists and the rate that which it is being created. According to an article in TechTrend, we created 2.5 quintillion data bytes on a daily basis in 2020 (a quintillion has 18 zeros), and that number is increasing. This number includes an average of 306.4 billion emails and an estimated six billion Google searches daily. Add that up over a year and we’re talking zettabyte territory.
With this increasing amount of data, the ability of hackers, data hijackers, ransomware, and other forms of data villains to create havoc also increases. We also need to consider that AI and data manipulation methods are accessible to data criminals as much as they are to the rest of us. What we are seeing along these trends include:
With the global workforce moving to remote work, in some cases permanently, we have expanded the number of target points for hackers to exploit. IT staff are becoming stretched thin in trying to support home WiFi networks and new or upgraded tools to support remote working.
As mentioned above, technology is available to all. Quantum computing allows for quantum hacking. China, for example, has produced state-supported quantum computers capable of hacking AES 256 (the security protocol upon which most of the Western world has relied to protect data and systems for the last 10 years). Without the adoption of stringent process controls and new tools, corporate and government data in the Western world is now at risk.
Identity theft is becoming the “new norm.” As mentioned in a recent interview with The Washington Post on protecting your data during travel, data thieves are able to automate data capture and compound, share, and sell years of randomly acquired personal information to build and replicate your identity.
Both companies and individuals are increasingly reliant on cyber insurance to cover their lack of data security hygiene – i.e., how many of us overlook stringent protection of our credit accounts knowing that the credit card companies will refund us for any fraudulent charges? What we need to consider is that this practice is not fixing the problem, similar to adding oil to your engine every week rather than fixing the leak. Keep in mind that insurance companies adjust rates based on risk. If risk continues to increase and our efforts to contain data protection do not, we may be looking at significant premiums, deductibles, or even increased liability exposure in the near future.
What we need to do is accurately evaluate, and continually re-evaluate what are data protection “best practices". As in the example of AES 256 noted above, what used to be considered standard or best approach years ago may not be sufficient.
The following are a few current practices that may help you in mitigating the emerging data privacy and protection risks:
Tokenization: Tokenization is the process of replacing sensitive data with keyless synchronous “tokens” that carry no referenceable meaning and cannot be identified by a mathematical formula. Sensitive information can then be shared across the internet without revealing its true form (i.e., credit card numbers). This is different from encryption which can be mathematically deciphered.
Most of us already use a form of tokenization with the new chip cards. For a business managing magnitudes of data, you will need to implement processes and utilize new tools to take advantage of the added security layer of tokenization. There are various methods of data tokenization which we will cover in a later post, but this is an important business decision to consider.
Compliance and Audits: Very few of us actually like these words, but they are critical to maintaining a stance on secure data. The idea is to expose your company’s weaknesses before the data criminals do. While your company has to keep its systems and data safe all the time, a hacker only has to be right once to bring your company to its knees.
We’ve seen far too many cases, Capital One, Facebook, Marriott, the recent healthcare hacks, and the list goes on. Consider investing in regular check-ups, just as you do (or should do) with your doctor. Also, be sure these audits are performed by an independent group to ensure a complete and accurate analysis.
Hire a CISO: If you don’t have a CISO, then get one! This is an increasingly valuable role in an organization and is essential to developing and maintaining a good data and cyber security strategy. A VCISO (virtual or fractional Chief Information security officer) may also be a great option for many organizations. Not only can this model help reduce costs, but as they work across multiple companies, they may be more up-to-date on current best practices and aware of other tools and systems that are available. In many cases, VCISOs tend to be fresh and on the forefront more so than a permanent in-house executive.
Take Cyber Insurance Renewal Self-Assessments Seriously: If you overstate or misstate what you are doing in terms of processes, protocols, and technology, you might find your claim delayed or denied. As mentioned earlier, insurance companies are increasingly aware of risk and take their metrics seriously. If you have ever tried to file a claim for damage to your home, you know what I am talking about. It is best to engage a team experienced in security audits to assist you in filling out your renewal assessment.