Since 2006, there have been a number of sources that talk about data as being the 'new oil'. In its basic, unrefined form, it's only marginally useful. But when refined by analysis, data can be invaluable. Regardless of how organisations and governments perceive the value of data, there is a strong and profitable black market for data that is illegitimately 'obtained', and significant cost to organisations that lose, or expose the data they host within their organisation.
The changing IT security landscape
The firewall, traditionally used to protect corporate data and the datacentre, is no longer sitting between corporate data and the wild. As IT tools within firms have diversified to include laptops, smartphones and tablets, the 'edge' of the datacentre can now be in an employee's bag or pocket, and be miles away from the firewall.
In response to this ever-increasing threat, organisations need to consider investing in technologies that will minimise the impact of an external data breach, and exploring how these mobile devices can be secured and managed. This is a challenging strategy, particularly since the Bring-Your-Own-Device (BYOD) trend has become more widely adopted. Issues of privacy, data sovereignty and the rights of organisations and individuals all apply, with legislation a long way from helping define the roles and responsibilities of all stakeholders.
Internal and external threats
But technology is only one part of the overall data and content security issue, with management of people and processes being equally as important.
For example, it is quite a complex and expensive process for a determined hacker to break into an organisation, locate valuable information and then extract that information, and sell on to the open and black markets. But it is relatively easy for a disgruntled employee to plug in a high capacity mobile storage device and make a copy of that same information, because the vast majority of security approaches are focused on monitoring external threats and not internal weaknesses in the firm.
An even more frequent threat vector is that of the lost laptop or phone. And, with the increasing number of personal cloud productivity tools available, there is an increased probability that critical information will be accidentally posted to a public cloud site that fails to provide sufficient levels of security. There is also the possibility that usernames and passwords will be accidentally exposed, lost or stolen. All these security risks exist in addition to the omnipresent concern of an employee accidentally emailing critical information to the wrong recipient.
Preparing for the inevitable
So, how can organisations effectively address these security issues where the complexity of, and motivation for, external threats are ever increasing? A 'Defence-In-Depth' strategy is called for. Such a strategy will have zones of internal and external trust, and mistrust. This strategy will be well documented and will encompass:
- Staff training on security issues;
- Required security software for mobile devices;
- Identification of a dedicated security response team;
- Standardised procedures and protocols for instances of data loss.
The critical element of a 'Defence-In-Depth' strategy is that it starts from accepting that an attack is inevitable. It then works to intercept and slow down the attack at every possible junction to provide time to respond. Armed with this new attitude, organisations may have a better chance of avoiding major data breaches in the future.
By Simon Piff, Associate Vice President, Enterprise Infrastructure IDC Asia/Pacific. All views expressed are the author's own.