3.35 billion – the number of data records that were compromised worldwide in the first half 2018 alone.
214 – the number of data records that are lost or stolen every second.
72% – the jump in the number of records compromised in 2018 in comparison to the same period in 2017.
These staggering numbers were revealed by digital security specialists Gemalto, who also noted that
the Asia Pacific region alone was responsible for 36% of these breaches, with Australia, India and Japan leading the pack for most number of incidents.
The current state of affairs surrounding data security is definitely alarming, but it hasn’t always been this way. Cyber-related threats were rare and nearly unheard of just a few decades ago, let alone data-specific threats. In fact, most companies’ primary worry when it came to data was governance and regulatory compliance, not security.
So what changed along the way and will the situation ease up in 2019?
The year of data breaches
2018 was a tough year for data security.
The pressures facing businesses grew to new heights nearly every day. Highly complex IT environments require companies to consistently upgrade their applications, improve on efficiencies and comply with stringent regulations while modernising applications, and moving operations to the cloud to stay abreast of competitors. This places a significant burden on already over-stretched IT teams and resources to ‘shift left’, upgrade, migrate and test applications, faster.
In attempts to answer to the growing competitive pressures, many businesses across industries fell victim to a record-number of application outages, cyber-attacks and data breaches. British Airways, Cathay Pacific, Ticketmaster – the list grows every day. With the General Data Protection Regulation (GDPR) in play, companies that succumb to these pressures will only see hefty fines added to their list of challenges.
Such high-profile outages of critical applications cause massive disruptions for businesses and customers, shining the spotlight on how the tumultuous relationship between innovation and security can wreak havoc on both business growth and reputation.
The complicated relationship between innovation and data security
In today’s hyper-connected world, data security and privacy are integral in everyday life.
Protecting people’s personal identifiable information has arguably become a human right. Most organisations have accepted that as custodians of data, they bear the critical responsibility of ensuring personal information is protected. This has created a fundamental shift in how data is viewed and managed. The majority have now been forced to review how they secure and automate the delivery of data.
What complicates the discussion around securing data is the data itself. Data forms the very foundation of any modern digital enterprise. It drives everything from new user experiences to products and business insights.
However, for most companies, allowing business applications unfettered access to data can also prove to be the greatest source of risk. Organisations often struggle to secure sensitive data in non-production environments, which represents up to 90 percent of the attack surface at risk of a data breach. A vast majority of data is estimated to sit in non-production systems used for development, testing, and analytics systems. Most of this non-production data is in multiple replicas of subsets of the overall production data, which contains personal or sensitive information. Being in non-production environments these data instances are also not typically as well secured as the production data.
The unparalleled growth of data, paired with the multitude of intricate ways the data is used creates what can only be defined as a “data swamp”. It is no wonder then that companies struggle to understand – let alone quantify – their risk and exposure. Even if you are able to identify, secure, and deliver data, it’s extremely difficult to fully understand how it’s being used at that moment in time, and on what scale it is being used.
Complicating things further, most security processes and organisations evolved in a traditional monolithic application-centric age. Understanding how data and risk propagates through applications as they modernise to micro-services, and adopt DevOps-driven Continuous Delivery, is a challenge forcing organisations to struggle with balancing the need to accelerate time to market and properly securing their data.
For some companies, a singular goal of speed makes sense. After all, speed has cemented its place as a key metric by which successful companies are measured. But when it comes to organisations that have valuable access to copious amounts of data (in Facebook’s case, 2.5 billion people), valuing speed at the expense of privacy and security can prove to be a costly decision.
The truth is, not properly balancing the trade-off between moving quickly and being thoroughly secure is what has led to the slew of data leaks and security breaches we have seen over the past few months.
Thankfully there is light at the end of the tunnel for speed and security to co-exist harmoniously.
DataOps: the key to a successful data security relationship
The middle ground comes in the form of a new approach that unites those data operators managing and securing data, with data consumers, such as the developers, analysts, data scientists and anyone else, who need data to do their job.
This emerging movement – DataOps – seeks to eliminate data friction through people, process, and technology. It allows businesses to build a comprehensive library of data sources that pinpoints the exact location of sensitive data across an organisation’s entire IT estate, whether on-premises or in the cloud.
However, identifying personal data is only half the challenge. The bulk of the task lies in successfully protecting the data. The number one challenge that companies face at this stage is in masking the data.
Modern dynamic data platforms can be used to apply masking policies for multiple systems at once in a matter of minutes. What’s more, dynamic data platforms can be used to profile data, suggest algorithms, build rule sets and then mask very large datasets. This meets the GDPR requirement of privacy by design, in that you are designing data-masking directly into the delivery of data.
By applying DataOps and its tools, businesses will be that much closer to eliminating data friction and securing data at the same time, allowing their best resources to securely access the data they need, when they need it.
Where is data security headed?
As we set foot into 2019, the volume of data-driven businesses is only set to continue growing exponentially. Generated at break-neck pace, data shows no signs of slowing down or getting less complex.
Plagued by the need to secure all that data, many businesses will find themselves stuck in the infamous data swamp – unable to move forward and unable to escape. They will find that a vast majority of their time and effort is spent on protecting the data from getting leaked, and not enough time is spent on leveraging the valuable data to gain insights and propel innovation. On the flip side, we also see some companies getting caught up in the everyday operations and product development, inadvertently pushing essential things such as privacy to the side-lines.
Human error is inevitable and it is next to impossible to expect humans to be able to manage all that data and never make a mistake.
The only way forward for us all is to turn to the multitude of advanced technology tools available to us. Machine-learning and artificial intelligence (AI) are fantastic examples of tools that can be extremely useful and reliable when it comes to data security. For example, companies can use AI to comb through troves of data to identify mis-categorised data, or detect parties that might be trying to access data they’re not authorised to. IT automation not only offers consistency across the organisation, but it also helps free up valuable IT resources to focus on more pressing data issues.
The key element that enables businesses to leverage automation is of course the data itself. Businesses that are able to provide the right kind of data at the right time will be able to reap the most benefits from this approach.
There is no one-size-fits-all solution to establishing a perfect approach to keeping data secure. Each business is unique and requires its own strategy to ensure it is well-prepared to navigate the minefield that is data security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.