‘Data is the new oil’. Many of us have heard this phrase time and time again – but like any good adage, it stands the test of time – it’s a relevant comparison to make. Just like oil, data in and of itself isn’t particularly valuable, but put to use it can become extremely powerful, says Chris Harris, EMEA Technical Director at Thales.
In today’s information age, forward thinking organisations are using data to innovate; something that we’ve seen across every single sector and industry vertical. It can help businesses to revolutionise ways of working, deliver new products and services, drive efficiencies and deliver a more personalised service to customers. At the same time, cybercriminals and bad actors also know that data is the lifeblood of any business, and as such it has become a commodity ripe for exploitation – with businesses’ and consumers’ data being put at risk. Barely a month seems to go by without news of another high-profile data breach hitting the headlines. These breaches do carry consequences, for the consumer who has had their personal data and identity put at risk, and the businesses who are in essence custodians of this data.
The call for mandatory data controls
As discussed, data breaches are unfortunately commonplace – with bad actors increasingly finding new ways to steal data – and while organisations can take measures, we will still see these breaches occurring. But what do consumers think should happen to those organisations in the aftermath? We recently undertook a global study of more than 21,000 consumers to assess attitudes to trust when it comes to their data. Interestingly, more than half (54 per cent) believe organisations that have suffered a data breach should be forced to implement mandatory data protection controls such as encryption and two-factor authentication.
Some 54pc said organisations should be legally obligated to put these measures in place, ahead of offering compensation to victims (53pc), employing more specialists to make sure it doesn’t happen again (46pc), finding and returning victim’s data (43pc), or having to pay a large fine (31pc).
How to instil trust
According to the findings, social media companies, (18pc), government (14pc) and media and entertainment organisations (12pc) were the sectors that found themselves with the lowest levels of consumer trust when it comes to keeping personal data secure. Perhaps unsurprisingly, consumers have become increasingly security conscious and are making their choice of products and services on this very basis. A quarter do not want to use services that aren’t encrypted, while one in five have stopped using a company that has suffered a data breach.
Getting the basics right
Networks are under constant probing and scanning by threat actors, so organisations need to find a way to securely store and move the vast amounts of data being generated every day – all without compromising user experience.
Encryption is the starting point here. By implementing encryption, organisations can protect all structured and unstructured data that’s found across their on-premises, virtual, public cloud, and hybrid environments. To fully defend themselves against insider threats and malicious attacks, they should implement encryption across both data at rest and data in motion. The latter measure is especially important, as data-in-motion encryption helps shield an organisation’s data, video, voice and metadata from eavesdropping, surveillance and other interception attempts.
Once encryption is established, organisations need to look at key management. If a bad actor gains control of an organisation’s cryptographic keys they can abuse them to decrypt an organisation’s data, create fraudulent identities and generate malicious certificates. Key management control gives organisations a means by which they can securely manage, store and use their cryptographic keys.
Let’s not forget identity and access management (IAM). In recent years, new working trends accelerated by the pandemic have dissolved traditional boundaries – a company no longer exists within the confines of an office and has expanded to include remote employees, partners and customers. In response to these developments, organisations should implement controls that limit work-related resources where employees have access based on their job duties. These controls should include the use of multi-factor authentication (MFA) to safeguard users’ accounts even if threat actors succeed in compromising their credentials.
These measures should be baked into any organisation’s data protection strategy and constantly reviewed and updated to align with the ever-evolving threat landscape. Customers have had their say; they recognise the importance of their data and will stop using services that don’t implement these measures. Building in more rigorous encryption, authentication and data security measures is one-way organisations can start to address extremely low levels of trust – and it’s time organisations take this seriously.