When we talk about data breaches, we often talk in terms of corporate financial or reputational losses, and of external threat actors; secure your data to protect against a ransomware attack; secure your emails to protect confidential client communications.
But the recent data breaches at the Police Service of Northern Ireland (PSNI) and the Metropolitan Police,represent the true cost of a data breach, and that is the human cost of the people whose personal details were leaked online. Considering the sensitive nature of many of these individuals’ work, officers and their families have been left feeling incredibly angry and vulnerable, with many evaluating whether it's safe to return to their jobs.
In both cases, sensitive data was accessed by someone who shouldn’t have had access to it. And that is often all it takes for a breach to occur; a keyboard error that inadvertently shares a confidential file with ‘Jo’ instead of ‘Joe’, selecting the wrong document from a shared drive, or open access to confidential systems and information.
Many organisations over-index on securing the perimeter to mitigate against external threats, whilst neglecting to build a true security culture internally. This doesn’t just mean putting employees through mandatory security awareness training every year, it’s about putting robust processes in place to protect all sensitive information, even from those inside of your organisation.
This is where data governance practices need to come into play. What data do you have, how sensitive is it, where is it stored and who should have access to it? And how do you extend this governance into collaborative workflows such as emails, file sharing and cloud applications?
Focus on the data
A data-centric approach to security allows you to easily apply protections, like access controls, to the data itself, which means those protections follow the data wherever it is shared for as long as it exists. It provides a level of control that in today’s climate is much needed to foster collaboration without jeopardising data security and most importantly, preventing it from inadvertently ending up where it shouldn’t be.
So why focus on protecting the data itself? Because it is the lifeblood of modern businesses and the core pillar of how organisations operate today. John Kindervag, the father of modern Zero Trust, is known for saying “The first principle of cyber security is to protect data and prevent breaches.” Across all security efforts, data is the common denominator.
Zero Trust is certainly a multi-layered endeavour. You can’t have strong security without considering how you authenticate the people, devices, and systems that access your data. But, should the other areas of Zero Trust protection fail, if you are protecting the data itself, it still remains secure.
So, how can security leaders take steps to make sure their data is protected in support of a data-centric strategy?
Data discovery, classification and tagging
It is critical to invest in proper data discovery to know what you have and where it is located. Once discovery is done, you can then classify your data as sensitive or not sensitive. And once data has
been classified, you can then apply tags or labels to identify (attribute) the data that is most sensitive. Collectively, these upstream data governance efforts will enable your organisation to adopt downstream data security controls so you can define and enforce policy and minimise data leakage.
Leadership is key to cultivating engagement around security. Employees need to understand exactly what data is considered sensitive; you'll need to make sure they are familiar with what data falls under the categories of Personally Identifiable Information (PII), for example. To get individuals invested in protecting that data, it’s important to help them understand why they should care, and that their actions truly have power. Educating them about breaches in the news and their impact on businesses and their own teams, can help them gain perspective on how a breach could impact their own lives. If you make it personal, you will start to see a shift in awareness and behaviour, ultimately mitigating the likelihood of a breach.
Make it easy
Implement user-friendly tools that enable employees to protect the data they’re sharing. For too long, security and encryption products have neglected ease of use, which is a critical error; if you want employees to prioritise data security, you have to make it simple, and you have to ensure it doesn’t introduce hurdles into their daily workflow. Efficiency, speed, and innovation are table stakes for businesses today, so security should support those business objectives, not detract from them.
Start from the inside. Start with data
A many organisations continue to focus outward — on the perimeter — to mitigate against data breaches , it is likely they are overlooking internal security processes and behaviours that could put their organisation at even greater risk. We all know that perimeters get breached and people make mistakes, and if we get nothing else from recent events, don't underestimate the importance of a data-centric approach to security. With the continual evolution of external threats and the inevitability of human error, ensuring the most valuable asset your organisation holds is protected should be your biggest priority. It’s time to switch things up and manage security from the inside out.