Lack of confidence in data security can cost you more than you think

csoonline(This article first appeared on CSO Online here.)

The majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers.

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

This finding forces me to think – the majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers. That’s why organizations are stunted in the process of applying appropriate security controls to protect the valuable information they possess. Unsecured data is a hacker’s dream. Attackers can offer it up to the dark web or use ransomware, causing financial loss and reputation damage. It can take years to uncover data manipulation, which can put everything from an organization’s business strategy to product development at risk. In today’s digital world, data informs everything, so its value cannot be underestimated. We’ve all seen our fair share of breaches this past year that illustrate how detrimental they can be to an organization.

Organizations have gaps in confidence levels

Almost half of IT professionals say perimeter security is effective at keeping unauthorized users out of their networks. However, two thirds of them believe unauthorized users can access their corporate networks and less than half are confident in the security of their data once cyberhackers are inside.

With that being said, more than half of companies don’t know where all of their data is stored. Moreover, more than two thirds admit they don’t carry out all the processes aligned with data protection guidelines such as GDPR.

This gap in people’s confidence in their organization’s data protection policies indicates the reason for continuous breaches: twenty-seven percent of organizations reported their perimeter security was breached last year. Of those that had suffered an attack, only 10% of the compromised data was protected by encryption, leaving the rest exposed. In order to secure their networks IT professionals, need to use encryption, which, paired with other solutions, will provide an essential security base for a robust system needed to guard sensitive information.

Crucial steps for strong security

When it comes to cybersecurity it’s a valid question to ask, “Who’s in charge?”It’s crucial for organizations to get their houses in order, starting with determining who will be responsible for overseeing security measures. Every executive board needs to have a Data Protection Officer, a chief individual who leads data security from the top down. Second, organizations must organize, and study collected data to properly protect it and make informed business decisions. Lastly, IT pros need to change their outlook on security as a whole. It’s no longer a case of if, but when a breach occurs. Therefore, organizations should implement a comprehensive approach to cybersecurity, using methods such as encryption, two-factor authentication, and key management in addition to perimeter protection.

These critical steps aren’t solely for the sake of companies, but also for consumers who have data records tied to these businesses. The vast majority of consumers say it’s imperative that organizations comply with data regulations due to their growing understanding of breaches and communications around GDPR. Actually, fifty-four percent of consumers are aware of what encryption is, which shows knowledge of how data should be protected.

Cost of poor data security

Over the years, security experts’ predictions about potential costs of a breach have been increasing. Cybersecurity Ventures estimates the costs related to cybercrime damages to reach $6 trillion by 2021. From upgrading IT infrastructure to paying legal fees and government fines – many costs are either tangible or intangible. We’ve now reached the tipping point on the implications of data breaches, that can negatively affect company’s market value and ruin the reputation of the corporate and management teams.

With pressure to ensure consumer data is protected and the risks and costs of breaches growing, organizations need to take immediate steps to transform their approach to data security. Companies need to have confidence in how they gather, analyze, and store their information. Only having this understanding and ensuring compliance, they will be able to adopt effective security measures.

This article first appeared on CSO Online here.

CSO Online – GDPR: Where we were…and where we’re going

It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach

csoonline(This article first appeared in CSO Online here.)

The plethora of data breaches within the past few years have set off alarms for organizations, especially their IT managers. We’ve seen that many attacks weren’t secured with the appropriate controls and protection, which left sensitive data vulnerable to hackers. As a result of these countless attacks, last month, the General Data Protection Regulation (GDPR) was finally enacted in the EU to ensure that if breaches occur, then consumer information would be guarded.

The law represents the most substantial modification to data protection in the Union since 1995. Replacing the previously adopted directive, the regulation has authority over all EU states to provide uniformed data protection. However, member states of the Union aren’t the only ones impacted by this regulation, any company doing business in the region must comply. Companies based in the United States are being held accountable along with other non-EU countries, and so, many companies have been making internal alterations to avoid the severe penalties for non-compliance.

Taking a look at the past

If there’s one thing we’ve learned from recent history, it’s that we have a growing data security crisis. According to the Breach Level Index (BLI), 2.6 billion records were stolen, lost or exposed globally in 2017. Since the BLI began tracking breaches five years ago, nearly 10 billion records have been compromised. Between 2016 and 2017 alone, we witnessed an 87.5 percent jump in the number of breached records. There is a chance that these numbers will increase, because there are still breaches that go unreported.

It’s difficult to turn a blind eye to the news as there is a story about a major security breach where consumer data is either accessed or stolen every week. The BLI revealed that 1,453 data incidents occurred in the United States last year. Even well-known companies that we all trust with our personal and financial information have been affected, including Facebook, Uber, and Equifax.

The most distressing thing is not the number of incidents but the scale of the attacks that affects thousands and sometimes millions of users. While the reporting requirements of GDPR make the problem more visible, it becomes apparent that conventional data security and breach prevention measures would not be able to provide adequate defense against pervasive cyberthreats.

GDPR is here

One of the most important obligations in the new law is to alert authorities and affected individuals when a data breach takes place. Organizations with careless security procedures will be exposed in time and might face financial penalties. The level of transparency that is mandatory as stated in the disclosure documents, opens the door for organizations to be publicly shamed after suffering a data breach. Service providers who manage consumer data, such as cloud providers, will be held responsible. Companies are also being forced to adopt certain security measures to mitigate threats and possible consequences after experiencing an attack.

What companies should be doing if they haven’t already

Before its implementation, GDPR was changing attitudes and brought data protection to the forefront of a business’ priority checklist. Now that the regulation is active, what steps do businesses need to keep in mind while ensuring they are compliant? We’ve included our three-step approach to data protection below:

1. Sensitive data must be encrypted

Encryption has been mentioned by the European Union Agency for Network and Information Security (ENISA) as a critical and effective base to reach legal benchmarks for security and control in rendering data unintelligible. In other words, companies should secure data at the application level, while it is in motion, and when it is stored. This approach shouldn’t be limited to financial data but should be used for all valuable data of involved parties.

2. Encryption keys are stored and managed

A common error that companies commit is storing the keys where the data dwells. In doing so, they leave private information at risk of being exposed. Organizations must remember that their data is only as secure and accessible as the keys used to encrypt the information. Crypto management platforms consider this risk and are able to create, rotate and delete keys. Using hardware security modules, extra trust anchors for encryption keys are provided.

3. Controlled access

Evaluating current risks in an organization can help align entry controls with specific data processing situations. An authentication strategy must be established to safeguard user identities and allow authorized users to access systems and other data. Efficient controls use systems like multi-factor authentication that require an added level of verification, a passcode sent to a cell phone for example.

Looking ahead

Today, being breached is not a question of “if” but “when.” Therefore, security professionals always need to think about conducting risk analysis to prevent, detect, and block data breaches. A necessary foundation to reach this level of security is provided by encryption solutions. When encryption is combined with other protection measures, these appliances form a robust basis for achieving compliance with GDPR.

Now that the regulation is effective, it’s time to move quickly (if you haven’t already). Companies need to start taking steps to change their outlook on security when protecting user data. It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach.

This article first appeared in CSO Online here.

CSO Online – Let’s get serious about security: 2.6 billion records stolen or compromised in 2017

csoonlineGemalto’s 2017 Breach Level Index found 2.6 billion records were compromised in 2017, as well a number of new data breach tactics. Breached or exposed data is not only a headache for security teams. It also impacts brand reputation, customer confidence and stock prices, but risk can be managed by mapping out where data resides.

Gemalto, my employer, recently published the latest research from its Breach Level Index (BLI), sharing that 2.6 billion records were stolen, lost or exposed worldwide during the year of 2017. A global database, the BLI follows and studies breaches, the types of data compromised and how it was accessed or lost.

To read the full article click here.

CSO Online – Data breaches are taking a toll on customer loyalty

csoonlineData breaches are happening on a daily basis. And as the number of breaches has soared, the scale of attacks has escalated as well. According to the Breach Level Index, 1.9 billion data records worldwide were compromised during the first half of 2017 due to 918 data breaches. The number of lost, stolen or compromised records increased by an overwhelming 164 percent compared to the last six months of 2016. (Disclosure: the Breach Level Index is operated by Gemalto, where I am employed.)

This year saw major security incidents affecting numerous high-profile corporations such as Equifax and Deloitte. And the consequences of such breaches now appear to be moving beyond the direct financial impact. As businesses struggle to maintain and protect consumer data, consumers are growing wary of both the attitude and practices those organisations take in order to do so.

To read the full article click here. 

 

CSO Online – More data records were lost or stolen in the first half of 2017 than all of 2016

csoonline918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017.

This October marked the 14th year of National Cyber Security Awareness Month(NCSAM), a series of events created as a collaborative effort between government and industry to ensure that all Americans have the resources they need to stay safer and more secure online. Even before last month’s Equifax and SEC breach announcements and Yahoo revising its report of a 2013 security incident to clarify that the event exposed every one of its three billion user accounts, that task – staying secure online – seemed overwhelming. Let’s look at the numbers.

To read the full article click here.

CSO – Protecting data: when confidence is overconfidence

csoonlineAccording to the recently released annual Data Security Confidence Index (DSCI), many businesses today are guilty of feeling overconfident about keeping hackers at bay, while at the same time failing to keep data safe.

American author, engineer and billiards Hall of Famer, Robert Byrne, once noted “confidence is overconfidence.” According to the recently released annual Data Security Confidence Index (DSCI), many businesses today are guilty of this flawed mindset; feeling overconfident about keeping hackers at bay, while at the same time failing to keep data safe.

To read the full article click here.

CSO Online – How ransomware is creating a data backup explosion

csoonlineAs ransomware becomes more common, everyone will need to better understand the different types, how they work, and what their broader effects will be on the IT and IT security industries.

While the WannaCry ransomware and Petya – a wiper disguised as ransomware – are two of the most recent headline-grabbers in the security world,  the truth is that we’ve been seeing this type of attack become more common over the past few years. Because data is the new oil in the digital economy, ransomware attacks that restrict access to important data until the attacker is paid are becoming increasingly common and creating a series of after-effects that will ripple out for some time. As these attacks become more common, everyone will need to better understand the types of ransomware, how they work, and what their broader effects will be on the IT and IT security industries.

To read the full article click here.