banner

Thales Blog

You Cannot Secure Your Data by Network Penetration Testing

March 9, 2023

Brian Grant Brian Grant | CPL ANZ's Regional Director More About This Author >

Organisations continue to experience serious data breaches, often causing harm to their customers, society, and their hard-earned reputations. It would seem obvious from the reported data that there continues to be a flaw in the cybersecurity industry’s approach to data security.

Misunderstanding or Misinformation

Typically, major data and privacy breaches are a result of either human error, or a successful external attack on users, devices, networks, or software. In fact, according to the recent Thales Data Security report, 52% of surveyed organizations have experienced a data breach in the past. This leads many in the cybersecurity industry to believe that achieving data security requires a systematic defense of attack vectors, no matter the cost or the results.

This concept of trying to defend every potentially exploitable asset as the most effective way to prevent serious data incidents is a fallacy that continues to this day. It is irrelevant whether there is deliberate exploitation of this misunderstanding by some in the industry, or whether this is simply an example of our inability to think outside the traditional approach to cybersecurity. The consequence of this misconception is that critical data and privacy information continues to be at risk.

Data security is just that… data security

If your organisation had a million dollars in cash, you would most likely want to keep it secure. No way would you simply sit it on a shelf in the office and rely on good strong front doors to your building, your security guard at the front desk, and perimeter alarms around the building to keep it safe. You would of course lock it in a very secure safe. Limit who has keys or codes to the safe to only those who needed to access the cash. Most likely protect the safe with a very good alarm system, and certainly have it monitored 24x7 with an appropriate response service that would react in minutes if an alarm went off.

If your organisation’s data is potentially worth millions, or its exposure or unavailability could cost millions, then the data deserves to be secured. Data security means just that - secure the data!

Consequences

The consequence of misunderstanding how to secure privacy data or similar critical business data assets can be dreadful.

For many years, I was in discussions with a data analytics team about how to secure sensitive consumer data at a large, very well-known enterprise. The investment to secure the data itself was delayed or deferred multiple times. The reason was that the cybersecurity team had told the business leadership team that the data was safe. The cyber team had deployed security best practices around user access, connected devices, software and networks. There was also regular penetration testing, as well as systematic cyber awareness training across the organisation. It was a very well protected environment in the traditional sense of cybersecurity.

The trouble was that the data itself remained, for all practical purposes, unsecured and sitting on the digital equivalent of a shelf in a storeroom. The organisation did not assess or enforce confidentiality, and integrity on the data itself. Rather it relied on everything else in the organisation being secure as the foundational strategy for ensuring the safety of their valuable data assets.

It took only one material error in the edge security environment to open the door to a skilled attacker; just one human oversight in a complex internetwork of security frameworks. With the data having no security to prevent exposure, the consequence was catastrophic, with millions of sensitive customer records stolen and the organisations brand and cybersecurity reputation in tatters. The cost is still to be measured but it will be hundreds of times more than what it would have cost to secure the actual data itself.

Achieving effective data security

The ability to secure data has always been readily available to any organisation looking to take the right approach to the challenge. The importance of good data security through the appropriate enforcement of data confidentiality, and integrity is well known and often quoted in cybersecurity seminars all around the world.

Let’s think of it more pragmatically.

Encrypt the data

The first step to securing data is to make it safe by hiding it in plain sight. Technically speaking, we apply encryption, tokenisation, masking, or anonymisation so that the sensitive elements or information are not visible to an unauthorised user or process. There are some added benefits beyond keeping data confidential in this approach. If the data value cannot be easily assessed (viewed), it is less at risk. In addition, if the data is inherently hidden, it can be easily moved, replicated or backed up, without being put at risk of disclosure, either deliberate or accidental.

Implement strong Identity and Access Management policies

The second step is, of course, to control who or what can read or write to the data itself. This step is analogous to ensuring only authorized people or processes have access to the keys that unlock the safe - they may be authorized to access to the room containing the safe, but that does not give them the right to access the cash. Indeed, digital key management is an element of what we technically use to enforce this function. If data access control is correctly enforced, it will not only prevent sensitive data from being stolen or accidentally disclosed, it will prevent data from being tampered with.

Monitor for suspicious activity

The third step is to proactively alert when the data itself is threatened, just as you would if someone tried to open the safe with a million dollars inside. If an unauthorized person or process tries to read or write to the data, good data security will stop it. However, if you do not alert someone and take action to respond to the threat, it may only be a matter of time before they find a way to access the data, even though the attack surface for the data is now a keyhole rather than an open door. Without integration with threat response, data security may only delay the attack. So once alerted you must respond in force!

It is of vital importance that every organization continuously evaluate what they have put in place to secure their data. The growth and success of the business relies as much on good data security as on protecting its cash flow. Learn more about how Thales solutions offer data protection against evolving threats.