Protect Data Differently for a Different World

COMMENTARY

Cybercriminals, terrorists, and nation-states are now striking at commercial entities in ways that can kill and injure people or cause physical destruction. A recent attack on Ascension Healthcare Network forced hospitals to divert patients, reschedule appointments, and resort to manual systems, which could have resulted in serious harm to patients. In 2023, two suspects were arrested for conspiring to attack Baltimore's power grid. The potential harm of such an attack has the US government scrambling to improve security.

In addition to the increased "physical" seriousness of these attacks, company executives can now be held legally responsible for them. In 2022, a federal jury found former Uber CSO Joseph Sullivan guilty of obstruction for actions following the company's breach. In 2023, the Securities and Exchange Commission announced charges against SolarWinds chief information security officer (CISO) Timothy Brown in a similar case (many of which were later thrown out). And earlier this year, Microsoft announced that it will “hold senior leadership directly accountable for cybersecurity.”

We historically have distinguished between attacks on business data — financially motivated incidents that threaten an organization's bottom line in the form of fines, loss of intellectual property, and reputational damage — and state-sponsored attacks on military secrets that have the potential to kill and injure people or undermine the operation of the government. Unfortunately, recent events have blurred the line between physical and cybersecurity, forcing businesses to raise the priority of protecting sensitive data, similar to the military.

The Military Mindset

In the military, protecting sensitive information has always been paramount, and the industry prioritizes whatever systems it needs for protection, including multiple layers of physical and digital security. The information simply can't be compromised.

By contrast, businesses are more likely to do a cost-benefit analysis, weighing the costs of securing data against the costs of recovering from the damage. As a result, the industry has never built a data-centric security stack, instead preferring a network-based security approach focused on keeping the bad guys out and responding quickly to contain breaches. However, if an attacker breaches the network security layer, sensitive data is quickly exfiltrated and exposed before most organizations can respond to contain the incident.

In order to safeguard their employees and business interests, organizations need to change their mindset to protect sensitive data with the same intensity as the armed forces, intelligence community, and defense industry.

Principles of a New Data Protection Strategy

1. Principle of least privilege (PoLP)

The principle of least privilege in the military and intelligence community mandates that individuals have access only to the information and resources necessary for their specific duties. This minimizes the risk of unauthorized access, data breaches, and espionage by limiting exposure to sensitive information, which thereby enhances overall security and operational integrity.

Similarly, business systems should provide only the right data to the right people at the right time. Recent privacy laws have forced many organizations to begin implementing this capability, but most organizations are a long way from building least privilege into the very fabric of their data infrastructure. Implementing strong data security requires understanding the context of the users' role and duties found in identity access management (IAM) infrastructures, understanding privacy compliance requirements, and having the ability to automatically identify and secure sensitive information in real-time across on-premises infrastructure, public cloud, software-as-a-service (SaaS) applications, and the organization's supply chain. 

2. Never trust a third party with data

Data must stay where the company can control and protect it. Attackers go after the weakest link in the data supply chain, and this increasingly means people outside the organization, including children, and third-party data platforms, as with SolarWinds. Companies also lose control of data when it's stored on a vendor's cloud data platform where the vendor's security failures put the data at risk. Thus, companies must ensure that vendors who become part of their data ecosystem do not store it, see it, or otherwise have access to it. This can be accomplished by redacting, masking, tokenizing, or encrypting sensitive data automatically as it leaves the control of the organization.

3. Identify threats in real-time

Too often, businesses have settled for security architecture centered on detection and response with poor response times. According to the 2023 IBM Security "Cost of a Data Breach Report," the mean time to identify (MTTI) and contain (MTTC) a breach is 277 days. When extensive AI and automation were used for incident response, it still took 214 days to identify and contain breaches. In order to prevent data breaches from resulting in the loss of personally identifiable information (PII), we must shift the focus from reactive containment measures that are not working to proactive data security measures that leverage AI to identify and protect sensitive data in real-time as it flows through the organization and block attempts by unauthorized users to access, steal, or manipulate business-critical information.

4. Never undermine productivity

An impediment to increased security has long been that added security makes processes slower and inhibits legitimate access to data, frustrating users, constraining collaboration, undermining customer experiences, and stifling innovation. To encourage adoption and use, data security solutions must protect data without delaying operations. Otherwise, users will find a way around it.

5. Make it fast and easy to deploy

Whatever solutions the industry devises, companies must be able to implement them quickly with little disruption to existing workflows. Otherwise, at best, risks could increase during the implementation process. At worst, the solutions won't be implemented at all or will leave critical gaps in the organization's defenses.

A Call to Arms

In practical terms, adopting a military mindset toward cybersecurity means organizations must immediately begin demanding that the industry moves beyond the current network protection strategies and toward a data-centric security approach that proactively secures data in real-time. These actions include:

These strategies are crucial for moving toward a data-centric security approach that effectively safeguards organizations against evolving cyber threats.