In an era defined by continuous media announcements of organizations that have suffered both government and private data breaches and thefts, the security of this invaluable asset has never been more of prime importance. Every day, enterprises face the daunting task of safeguarding sensitive information against an ever-evolving array of threats. As someone who has navigated the complexities of data security for over a decade, I have witnessed firsthand the shifting paradigms and challenges that organizations encounter. This article aims to illuminate the path forward, proposing a fundamental realignment towards data-centric security as a robust approach to the pressing concerns of today. Join me in exploring why adopting this strategy is not only strategic but essential for enterprises aiming to thrive in this context.
Data Security Concerns in the Modern Enterprise Context
Today’s businesses operate in an environment where traditional security perimeters have all but dissolved. The transition to remote work and ‘Bring-Your-Own-Device’ (BYOD) policies, a direct consequence of recent global events, has further exacerbated this trend. These blurred lines, combined with the sophistication of modern cyber threats, have significantly heightened the risks of data breaches, reputation damage, and regulatory penalties.
Data breaches rose by 72% between 2021 and 2023 according to the 2023 Data Breach Report by The Identity Theft Resource Center (ITRC), which has underscored the importance of robust data security. The main risks include phishing attacks, Zero-Day vulnerabilities, malware infections such as ransomware, insider threats, and insufficient encryption, all of which can result in significant financial loss, $4.45 million on average according to IBM Cost of a Data Breach Report 2023. Since 2020, the average cost of a data breach has increased 15.3% from $3.86 million. The costs are expected to reach $5 million within the next few years based on this trend.
Since Cybercriminals have discovered new ways to profit, they have not stopped evolving, and they know that data is a gold mine. Their main motivation is to gain access to the most critical documents and data of companies to make a profit.
At the heart of these concerns lies the challenge of controlling who can access data, under what conditions, and ensuring that it remains protected – regardless of its location. The stakes are higher than ever, as data exfiltration can mortally wound an organization’s standing, not to mention the severe implications imposed by ever-tightening regulations across the globe.
Towards a Data-Centric Security Approach
To address these growing concerns, a paradigm shift is essential. Moving toward a data-centric security approach ensures that the focus is placed squarely on protecting the data itself, irrespective of where it resides. This strategy offers a solution that aligns with the current organizational landscape, where data flows freely beyond the confines of traditional network borders. By encrypting the data and controlling access directly, we create a resilient protective layer that moves with the information. This alignment not only enhances security but also offers greater flexibility, an indispensable trait in today’s fluid work environments.
There are different key elements for an effective data-centric security approach:
- Identification of sensitive information: The target of an attacker, whether internal or external, is usually the most sensitive and valuable information: data through which he can directly or indirectly obtain benefits. On the other hand, there are also data related to some type of regulation such as EU-GDPR, PCI, or others. In some organizations this is stored in certain repositories known to the teams, however, it can also be distributed.
- Data-centric protection: Data-centric security controls focus on securing the organization’s valuable content so that it can be protected from potential unauthorized egress from the network, cloud, or data leakage. We can know where the sensitive information of the organization is, but it will be of little use, if we don’t apply measures to protect this information wherever it travels.
- Audit and monitoring of access to data: To determine the level of risk on corporate data, it is important to be able to analyze its use and determine if the behavior patterns of users on the data are outside a certain standard.
- Administration and management of data policies: Who should or shouldn’t have permissions to access the data isn’t something that is established in a static and lasting way. You must be able to apply dynamic policies on the data so that if you stop collaborating with someone or if it is detected that a certain person may be at risk, we can revoke access to it or try to prevent it from leaving the corporate network.
The Crucial First Steps
Before diving headlong into the implementation of data-centric solutions, it is vital to conduct a thorough analysis to identify the most at-risk information within an organization. Understanding what data is being generated, how it’s used, and most importantly, how it’s shared, forms the bedrock of a successful data-centric security strategy. An exhaustive examination of data flows within an organization will reveal the critical assets that demand the highest protection. This prioritization not only ensures that resources are allocated efficiently but also significantly improves the return on investment in data security technologies by safeguarding the most vulnerable information first.
Many organizations haven’t conducted a thorough analysis of the information they handle, generate, and share. SealPath has been recommending that for the past 10 years. As experts in data-centric security, we know that having a report that identifies the most vulnerable information is crucial to apply the most effective measures, tailored to the nature of each type information. This can only be done with an analytical method.
In the past, we noticed that when helping organizations to establish different types of policies or rules to protect their information, they hardly knew how to differentiate the level of sensitivity of each type of information, the context in which it is handled and even the different categories of information. This made it very difficult to advise them on the best security policies or rules, as these must be adapted to the nature of each type of information in order to be effective.
After deep documentation of the company data and flows, I recommend to calculate general risks by type of information, such as legal, financial, reputational or operational. The objective is to obtain the level of risk to which a type of information, such as strategic data, is exposed.
Once we know the general risks, I recommend to calculate the risks by typology, to quantify the risk by type of file and impact on the 5 dimensions of information security: Confidentiality, Integrity, Availability, Traceability and Authenticity. As a result, we will identify which specific files are most at risk. An example could be, for example, designs with intellectual property.
SealPath is distributed by its certified integrator, BNS UEP, a data solutions provider that enables organizations to establish and strengthen their Data Lifecycle Management and Security Posture. The starting point in the lifecycle is a clean, accurate and current data inventory, where compliant (e.g., PII, CCPA, other US Data Privacy Acts, GDPR, HIPAA), non-compliant, and critical (e.g., IP, Trade Secrets, Classified) data can be identified, delineated, isolated, accurately tagged, labeled, and classified. This combined with Access Governance including role and attribute-based access controls, least privileged, the ability to revoke access and encrypt data at rest, in use, and in transit is essential for any organization. The SealPath and BNS unified services solution delivers quick, relevant insights into reducing data & access risks (financial, legal & regulatory compliance, operational) while providing enforcement for File & Data Integrity with Enterprise Rights Management & DLP.
Conclusion
The journey toward robust data security is both complex and ongoing. However, by shifting our perspective towards a data-centric approach, we position ourselves to better combat the multifaceted threats of the current era. It is imperative that we do not rush into deploying solutions without first gaining a profound understanding of our data landscape. The insights garnered from such an analysis are invaluable, guiding our strategic decisions and ensuring that we invest wisely in technologies that provide tangible results.
Ultimately, I know that finding the right time to conduct such an analysis and putting the effort into it is difficult for many CISOs. But doing so has an unquestionable long-term benefit: knowledge is power, and in this case, it is profitability. Having a real and detailed vision of the data assets that your organization manages, as well as their risks, will not only avoid the worst consequences in cases of data breaches, but will also minimize their impact on your organization.
The world of data security is at a crossroads, and the direction we choose now will define the safety and resilience of enterprises for years to come. Let’s embark on this path towards data-centric security, armed with the knowledge and strategies that will safeguard our future.
About the Author
Luis Ángel, CEO and founder of SealPath, has more than 20 years of experience in leading technology and cybersecurity companies such as the multinational Motorola or the Spanish Panda Security. As a telecommunications engineer, he has a privileged vision in the development of innovative products and their commercialization, being able to get involved in depth to an unusual technical level. After 13 years leading SealPath and taking its data protection technology to more than 30 countries and 100 partners around the world, del Valle is positioned as one of the relevant voices in the field of data security, with in-depth knowledge of current and emerging threats, as well as the needs most in demand by the main organizations, both public and private.
Luis Ángel can be reached online at (https://www.linkedin.com/in/ladve/) and at our company website https://www.sealpath.com/
Source: www.cyberdefensemagazine.com