I read an interesting article that summed up nicely one of my favorite talking points: Consumers, or even company employees, have no control over the security of our information once an organization gets its hands on it, but yet, even though we are the victims, we are held responsible for protecting ourselves from identity theft and other cybercrimes. Companies clearly aren’t doing enough, as Greg Sim, CEO of Glasswall, said to me via email in response to the Deloitte breach:
In the case of Deloitte, this has resulted in customer data being lost. By their own admission, traditional anti-virus isn’t stopping these sophisticated attacks. What’s needed is a more innovative approach to protect companies and employees from document attacks.
Could that innovative approach simply be a better understanding of the data itself?
I had the opportunity to sit down with Scott Baker, senior director, Emerging Business Portfolio with Hitachi Data Systems at Hitachi Vantara’s NEXT 2017 conference last week. As we talked about Big Data and security issues, a theme jumped out at me: If you want to protect your data, you have to know what you’re storing. The problem, said Baker, is that organizations struggle with data. They don’t spend enough time on putting structure to the data so users can get to the information they need quickly. Without structure, you take the risk of storing a lot of bad data, as well.
Content intelligence and better data quality are the key points of improving data security. When you have better data quality and higher content intelligence, it makes the data more accurate and easier to monitor for anomalies and problems. As Baker said:
What hurts data security? False positives.
Baker went on to provide a great real-world, non-security example of how false positives can hurt you. Remember the search engine Ask Jeeves? It was popular back in the day, before Google became a verb. The problem is that when you’d ask Jeeves a question, he was apt to provide an inaccurate answer. This began to frustrate users and eventually scared them off when Google proved itself to be more reliable.
It’s the same with the data inside your organization. How well are you able to aggregate it and monitor it to ensure that you aren’t overrun with false positives? Can you tell the difference between a false positive and an actual positive alert? Your data should be able to provide specific patterns in a collective set. When you can recognize those patterns, and see when they aren’t in proper alignment, you can sniff out a threat, perhaps before it becomes a full-blown attack.
One thing that Baker said to me early in our conversation has stuck with me. Security, he said, has morphed into responsibility. Looking at some of the most recent breaches, I can see where companies offer security, but they don’t take responsibility for the data customers and employees have entrusted to them.
Cybercriminals want the data. We’re seeing that more often than ever; however, we continue with security systems that focus on networks and perimeters.
Data is your company’s most important asset. You should know what it entails, where it is stored, how to improve its quality and value. The more you know about the information you hold, the better prepared you become to protect it – and in turn, protect those who have entrusted it to you.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba