With everyone’s “favorite” April deadline approaching, doesn’t it seem as though data breaches have become as inevitable as you know what? In my colleague Tina Stewart’s latest blog, she outlined some major federal data breaches occurring in the past year (Department of Energy, the IRS) – and that list doesn’t even include OPM. Or the private sector.
According to 24/7 Wall Street, the Identity Theft Resource Center (ITRC) reports there have been a total of 177 data breaches recorded through March 22, 2016, and that more than 4.6 million records have been exposed since the beginning of the year. Needless to say, something’s (still) amiss.
Click To Tweet: .#DataProtection: It should be as inevitable as .... from @kessalan bit.ly/226TRPT pic.twitter.com/0dkC5ISojw
When It Comes to Data Protection, We Have an Opinion
Organizations are feeling the data breach pain. Our 2016 Global Data Threat Report (DTR) revealed 91% of respondents feel vulnerable to data threats. When broken out by verticals, that number barely changes. Case in point? Our recent Federal Government Edition of the DTR, which found that 90% of IT security leaders working for U.S. federal agencies feel similarly.
As it is impossible to avoid the taxman (although many people have tried), so is it impossible to prevent every data breach. Organizations attempting this will find themselves going down a rabbit hole, one that likely involves burning time, budget and morale very quickly. But, that doesn’t mean organizations shouldn’t take the very necessary steps to implement a layered IT security strategy – especially one that prioritizes data protection. The end goal is to protect data even when network, antivirus and other solutions have failed. After all, dropping the data protection ball means running the risk of lost revenue, confronting class action lawsuits and of course, reputational black eyes (see Target, Home Depot and Sony).
Most organizations worth their salt should care about keeping transactions secure and server communications safeguarded. Doing so means commerce can remain safely in motion, whether it’s flowing through Big Data storage systems, the cloud or the IoT. One way to do this? Making more extensive use of encryption and access controls as a first line of defense for data-at‐rest (locally in the data center, in cloud, big data and IoT environments) and considering an “encrypt everything” strategy.
A Turning Tide?
Our 2016 Global DTR illustrated a propensity among organizations to make compliance a top security priority – even as data breaches rise in organizations certified as compliant. This is understandable. After all, organizations operating within a regulated industry won’t be able to stay in business without remaining compliant.
With this reality in mind, compliance is still not enough. While it’s a good starting point, compliance regimes are updated only over many months and years. Cyberattacks change daily and hourly. This leaves compliance mandates requiring organizations to use protection methods that may already have been eclipsed by the attackers.
Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.
Fortunately, there are some positive signs. Our Federal DTR, for example, found that 37% of U.S. federal respondents plan to invest in data-at-rest defenses this year. Following best practices also appears to be gaining momentum. While compliance remains the primary motivator for securing sensitive data, nearly half (48%) are looking to implement data security to follow industry best practices. Respondents are also looking to implement ‘newer’ security tools such as cloud security gateways (40%), application encryption (34%), data masking (31%) and tokenization (27%).
Our Emerging Threats DTR also demonstrated an appetite for data-centric technologies. Respondents cited four top changes that would increase their willingness to use cloud services: a) encryption of data with enterprise key control on their premises; b) detailed physical and IT security implementation information; c) encryption of their organization’s data within the service provider’s infrastructure; and d) exposure of security monitoring data for their information.
Staying (Appropriately) Budget-Friendly
To minimize the drag on internal resources, data protection-conscious firms should look to vendors that can address a broad variety of use cases and reduce complexity through automation and multiple deployment options, to help reduce both the acquisition cost as well as ongoing operational costs that have traditionally been associated with data security. A strong single platform is one that emphasizes ease-of-use and offers encryption, enterprise key management, access control and security intelligence.
The Tax Man Cometh’. So do attacks on your data. Instead of using tens of tools to fight the latter, find a solution that doesn’t slow down your business and provides state of the art protection.
Unlike avoiding taxes, it’s not a pipe dream.