Since the start of 2023, cybersecurity and data privacy have remained top of the news agenda across Australia.
The impact of significant data breaches and cyber incidents has spread far beyond the realm of IT security experts and is now on every business leader and consumer’s mind.
This rise in awareness around cyber protection was much needed and is a welcome shift in the conversation. But it has also brought with it a lot of misunderstandings and misinformation.
While cybersecurity is used as an all-encompassing term to cover anything in a computing environment, data security requires a very specific approach.
Securing everything but the data
Major data and privacy breaches are often a result of human error or a successful external attack on users, devices, networks, or software.
This leads many to believe that data security requires a systematic defence of attack vectors, no matter the cost or the results.
Yet, the concept of trying to defend every potentially exploitable asset to prevent serious data incidents is a fallacy.
In many cases, it is driven by the belief that if security best practices around user access, connected devices, software and networks have been deployed, the data is safe. Common practices such as penetration testing and cyber awareness training are also often thought to represent extra safeguards to protect the organisation’s environment.
Unfortunately, taking this approach leaves the data itself, for all practical purposes, unsecure and sitting on the digital equivalent of a shelf in a storeroom.
Most organisations do not understand or are not aware, that if they do not enforce confidentiality and integrity on the data itself and instead rely on everything else in the organisation is secure, then the data is not secure.
Treat your data like your dollars
It takes only one material error in the edge security environment or a small human oversight to open the door to a skilled attacker.
If the data itself has no security to prevent exposure, the consequence can be catastrophic. Sensitive customer records can easily be breached or stolen, often costing organisations a hundred times more than what it would have cost to secure the actual data itself.
Consider your organisation has a million dollars in physical cash. There’s no way you would simply store it on a shelf in the office and rely on an alarm on the building, strong front doors, and a guard at the front desk for security. The organisation would protect the cash itself by locking it in a very secure safe. What’s more keys or codes would only be shared with those who need access, a robust alarm system would protect the safe, and it would be monitored 24/7 by a response service that would react in seconds if the alarm went off.
Not all data is the same
Securing data may suddenly seem like a huge and expensive challenge, but not all data is the same. Focus time and resources securing sensitive data, data that is valuable to the operations of the company and data that impacts compliance obligations using these three simple controls:
- Make it safe by hiding it in plain sight – apply encryption, tokenisation, masking, or anonymisation to ensure sensitive information is not visible to unauthorised users or processes. If the data cannot be easily viewed, it is less at risk. In addition, if the data is inherently hidden, it can be easily moved, replicated, or backed-up, without being put at risk of disclosure – either deliberate or accidental.
- Control who or what can access the data – ensure only authorised people or processes have access to the keys that unlock the safe. While they may be authorised to access the room containing the safe, it does not automatically give them the right to access the cash. If data access control is correctly enforced, it will not only prevent sensitive data from being stolen or accidentally disclosed, but it will also prevent data from being tampered with.
- Proactively alert when the data itself is threatened – if an unauthorised person or process tries to read or write to the data, good data security will stop it. Without integrating threat response, data security may only delay the attack. Once alerted, a quick response needs to be triggered.
The million-dollar question
The growth and success of a business today rely as much on good data security as on protecting its cash flow. My one piece of advice to business leaders is to ask your IT or cyber security team if they are securing the company’s digital environment and securing the data itself. Understanding the difference could help you avoid a devastating attack on your company.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.