Data Protection From The Inside Out

Organizations must make fundamental changes in the way they approach data protection.

Dan Frank, Deloitte Advisory Principal, Cyber Risk Services

August 8, 2016

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Despite many organizations’ significant cybersecurity investments, sensitive data breaches continue to occur at an alarming rate and have a devastating impact. There are many reasons why these breaches and corresponding effects continue to occur, such as the quickly rising rate of data collection and increasing storage, business and technology innovation (e.g., the Internet of Things and cloud computing), the extended enterprise, inherently flawed technology, and the reliance on outdated security standards and corresponding controls that can’t keep up with attack vectors. Cyber attackers are extremely skilled, well funded, and organized. If an organization has something desirable (such as personal information and intellectual property), attackers will stop at nothing to get inside.

Organizations need to fundamentally change their approach to data protection. For decades, many organizations have spent their time, money, and resources on traditional approaches to data protection and corresponding controls (including identity and access management, vulnerability management, and application security) with the intent of keeping cyber adversaries out of their network and applications and off of their infrastructure. However, breach trends show that although these fundamentals are necessary, relying solely on them isn’t enough and doesn’t work. Organizations need to acknowledge that their cyber adversaries can reach their most sensitive data, and focus more of their time, money, and resources on solutions at the data layer itself.

Data protection from the inside out doesn’t mean that traditional data protection capabilities aren’t necessary or that we should throw our hands in the air and quit. Organizations must continue to implement and maintain these basic capabilities. However, these traditional data protection measures need to be viewed as more of a deterrent to cyber threats than a complete fix. As an organization, view and treat your cyber adversaries in the same way you would treat a common criminal on your own.

For example, common criminals are less likely to break into a house with basic security measures (locks, fence, alarm system, camera/surveillance system, dog). However, if you have something they really want (say, jewelry), are these measures really going to stop them from getting in? No, a determined and sophisticated criminal is going to spend the time and money, and work with the right team, to get into the house and find your valuables. However, as an additional measure, you could store your valuables in a secure safe within the house. That would help protect your valuables “from the inside out.”

Inventorying and classifying sensitive data and assets, as well as maintaining the inventory, is the foundation of your efforts, and incredibly important to data protection. However, many organizations either don’t have an inventory; think they have one, but in reality don’t; or create an inventory without a means to keep it up to date and accurate. Not to oversimplify, but you can’t protect what you don’t know you have. You can’t universally apply data protection capabilities and technologies (e.g., encryption) to “all” of your data because of the cost, and the effectiveness of some data protection solutions (e.g., data loss prevention) is limited without data classification.

Implementing data protection capabilities at the data layer can help to both prevent and detect data breaches at an organization’s last line of defense. These capabilities include preventative solutions such as information rights management, as well as detective solutions such as data loss prevention, data access governance, and database activity monitoring. The adoption rate of these solutions seems to be relatively slow, and even when they’re implemented, their full capabilities often aren’t utilized.

Reducing the value of sensitive data is perhaps the most important principle, and it’s based on the premise that it’s not “if” but “when” a data breach will occur at your organization. One way to reduce the value of sensitive data is to encrypt, tokenize, or obfuscate the data to render it difficult to use when compromised. A second way to reduce the value of sensitive data is to securely destroy it when it’s no longer necessary for legitimate legal or business purposes.

Protecting sensitive data is a complex challenge that requires a holistic and comprehensive data protection strategy, executive support, and investment of time, talent, and funding. Implementing individual data-centric solutions in a siloed manner, and without integration, can lead to critical gaps in an organization’s security. Traditional measures alone are no longer sufficient, so it’s time to change the game.

Related Content:

 

 

About the Author

Dan Frank

Deloitte Advisory Principal, Cyber Risk Services

Dan Frank currently leads Deloitte & Touche LLP's Privacy and Data Protection service offering in North America. His professional experience includes 19 years in privacy, data protection and cyber risk management. He has helped numerous organizations with various aspects of their privacy programs, from requirements and controls definition, business process risk ranking and data flow analysis, risk assessment and strategy development, through program development and remediation initiatives. Dan Frank has international privacy and data protection experience in the Americas, EMEA, and APAC and has built privacy programs to meet a variety of industry and international legal and regulatory requirements. He is a Certified Information Privacy Professional and Certified Information Systems Security Professional, and has spoken on privacy and data protection at conferences for the IIA, ISACA, IAPP, and Symantec.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights