Data is not just critical to business it is core. It is the essence of a company’s function. Big data is a major part of that flow, and the more customer data that is out there, the more it needs protection.
As big data gathers momentum, incorporating security into planning and processes in the early stages of a project are becoming more important. The big data revolution is just getting started and will present major security challenges if its data management is not carefully planned.
Formerly the exclusive domain of IT, information security has now become the domain of everybody including content and knowledge managers.
Major retailers and government agencies have suffered data breaches, denials of service and destructive intrusions. Millions of individuals have been affected, and organizations are now forced to devote more resources to prevention and remediation. Everyone in a company, from consumers to CEOs, has become acutely aware of the hazards of failing to protect information.
Every business user and anyone accessing data needs to be aware of it. The advent of the mobile worker and the proliferation of cloud technology have added a new dimension.
People want to run their businesses on a tablet, and they can do that but information managers need to understand how to do it safely. Much of the data in an enterprise exists only at endpoints, which increasingly are mobile devices.
According to a study by IDC, 75% of the U.S. workforce is mobile, with most of those employees having more than one mobile device. But those devices are at risk: about five to 10% of laptops are lost each year, according to a study from Ponemon Institute, and about one-third of them contain unencrypted sensitive or confidential data. In another study, one in six respondents reported having a mobile device lost, stolen or destroyed. In addition, a lot of intellectual property is stored on mobile devices, and in the event of litigation, the company has to be able to locate it.
Despite the convenience of mobile devices, their use creates well-recognized conflicts with security, especially in the face of increased frequency of BYOD (Bring Your Own Device).
Even when users hold onto their devices, security is far from guaranteed. Data is becoming more dispersed and fragmented. Even when companies do not know where the data is flowing, they still have an obligation to protect it. Information sharing is the norm rather than the exception today, both among employees within an organization and with outside organizations.
Along with mobile devices, the supply chain is a point of vulnerability. Once supply chain information leaves your organization, you don’t know what is being shared and what is being protected. Tracking it is a massive task and has often been managed by departments well outside of IT, such as procurement. It’s not just information about material goods that enters the supply chain; intellectual property associated with the products also goes to third-party suppliers. Information, such as patent data or formulas for pharmaceuticals, is shared with lawyers and accountants.
Analyzing the risks to information in the supply chain can help focus resources on mission-critical data. Companies should work with their vendors to ascertain how they are protecting information, and to consider putting security requirements into the contracts they write with suppliers.
Business and IT should start with a conversation to explain what protection the company has in place and what measures are being taken. Then, the business side can work with IT to develop business cases based on the impact of their operations and illustrate the ROI for protection of their functions. That can help IT by showing the costs of downtime and clarifying what needs to be protected.
Technology can help overcome security problem. For example, an application can provide continuous backup, but users don’t know that it is running or the can also enforce encryption without the user’s awareness and remotely wipe laptops to clear the data. There are products which focus on encryption and tokenization, to secure the data itself rather than the network environment. Tokenization provides visibility to the flow of data without putting the data at risk.
A new product called Protegrity Avatar for Hortonworks is designed to secure individual data elements while managing and monitoring the data flow in Hortonworks, an enterprise Hadoop data platform.
In most cases, organizations need to deploy more than one security solution, because the threats are many and varied. Most companies use a best-of-breed strategy, picking out the strongest solutions for their needs.
Data security is about data protection, but it is also about continuity and availability. Protecting information with technology is important, but it is not a substitute for information governance within a company.
Achieving the right balance between business needs and information security requires a fundamental shift in attitude. Rather than thinking of data as something a company owns, business owners need to come to term with the fact that they are custodians of data that needs to flow and be managed.
A legislative proposal announced by the White House in mid-January is designed to increase data security by promoting information sharing, strengthening law enforcement for cyber crimes and requiring that data breaches be reported promptly.
Companies have been concerned about information sharing because of the risk of liability for violating individuals’ privacy. The bill addresses that issue by requiring compliance with privacy guidelines, including removal of unnecessary personal information. The legislation would simplify and standardize the requirements for reporting data breaches. Currently, the laws exist at the state level, but not all states have them, and those that exist are not consistent.
Whether defending their website from intrusions, keeping applications running or protecting data elements, organizations are faced with an increasing number of threats and a complex security environment. Awareness at every level of the extended enterprise will be essential to minimizing the adverse impact of security incidents.
Galaxy Consulting has 18 years experience in information security and governance. Please call us for a free consultation.