Level 3: Securing Every Organization’s Most Valuable Asset: Data (Or, If You Don’t Know Where Your Data Is, Cybercriminals Will Find It For You) - Chris Richter
It’s hard to put a value on information, and yet it can be argued that data, especially now, can be the most valuable asset companies own.
Unfortunately, it’s extremely difficult for organizations to assign a value to their intangible information assets, i.e. data. Without having established a value on its data assets, an organization will find it nearly impossible to perform a risk analysis – an essential step in determining the best approach to securing that data. But, data can also represent an organization’s greatest liability. If data is not properly disposed of, the risks to an organization, should there be a breach, can be devastating. In the recent, well-publicized attack on a major corporation, hackers exposed emails that dated back to 2008, according to one report. A risk assessment may have proven that emails dating back that far represented zero asset value, and in fact were a huge liability for the company. We should never assume our data is simply not of interest to cybercriminals and thus has no value. Almost all data is either an asset or a liability.
I have spoken to countless organizations that not only don’t know the value of their data, but are not sure where their data is located. This is especially true of large enterprises that have undergone several organizational changes. Data tends to be scattered across a multitude of systems, and is often housed in “shadow IT” infrastructures, which only exacerbates the problem by making the application of proper security controls nearly impossible.
Technology alone is not the answer. Strong cybersecurity measures, in many ways, have as much to do with process as it does with technology. We often see that organizations have implemented a “patchwork” approach to security architectures by deploying a number of boxes on the network with various threat and alerting functionality. This approach to securing data creates operational complexity, introduces vulnerabilities, and creates additional “alert noise” that security teams must triage to discover events worthy of investigation. It is estimated that enterprises spent over $70 billion on security technology in 2014, and are expected to increase that spend by nearly 10 percent in 2015. Yet, as we have seen in the media, even companies with sophisticated technology deployments have been compromised.
It is only after an organization has undergone a thorough risk assessment can it apply proper security controls to protect its data. The type of security controls, and the amount spent on those controls, should be based on data value, vulnerability, likelihood of breach, and impact of breach. Not only can such an approach improve an organization’s security posture, but it can lower its costs. One study indicated that after having implemented risk management programs, enterprises were able to reduce the cost of meeting regulatory and industry compliance requirements by 70 percent.
Last November, I held a security workshop to discuss a six-step process that I recommend to customers to help identify, value, and protect their data.
There are no silver bullets here, but with the right processes in place many of the data breaches we read about over the past year could have been avoided. As well, there are ways in which network-based security solutions can and should play a role in simplifying security architectures. Learn more about Level 3 Network-based Security Solutions.
Source: http://blog.level3.com/security/securing-every-organizations-most-valuable-asset-data-or-if-you-dont-know-where-your-data-is-cybercriminals-will-find-it-for-you/
Unfortunately, it’s extremely difficult for organizations to assign a value to their intangible information assets, i.e. data. Without having established a value on its data assets, an organization will find it nearly impossible to perform a risk analysis – an essential step in determining the best approach to securing that data. But, data can also represent an organization’s greatest liability. If data is not properly disposed of, the risks to an organization, should there be a breach, can be devastating. In the recent, well-publicized attack on a major corporation, hackers exposed emails that dated back to 2008, according to one report. A risk assessment may have proven that emails dating back that far represented zero asset value, and in fact were a huge liability for the company. We should never assume our data is simply not of interest to cybercriminals and thus has no value. Almost all data is either an asset or a liability.
I have spoken to countless organizations that not only don’t know the value of their data, but are not sure where their data is located. This is especially true of large enterprises that have undergone several organizational changes. Data tends to be scattered across a multitude of systems, and is often housed in “shadow IT” infrastructures, which only exacerbates the problem by making the application of proper security controls nearly impossible.
Technology alone is not the answer. Strong cybersecurity measures, in many ways, have as much to do with process as it does with technology. We often see that organizations have implemented a “patchwork” approach to security architectures by deploying a number of boxes on the network with various threat and alerting functionality. This approach to securing data creates operational complexity, introduces vulnerabilities, and creates additional “alert noise” that security teams must triage to discover events worthy of investigation. It is estimated that enterprises spent over $70 billion on security technology in 2014, and are expected to increase that spend by nearly 10 percent in 2015. Yet, as we have seen in the media, even companies with sophisticated technology deployments have been compromised.
It is only after an organization has undergone a thorough risk assessment can it apply proper security controls to protect its data. The type of security controls, and the amount spent on those controls, should be based on data value, vulnerability, likelihood of breach, and impact of breach. Not only can such an approach improve an organization’s security posture, but it can lower its costs. One study indicated that after having implemented risk management programs, enterprises were able to reduce the cost of meeting regulatory and industry compliance requirements by 70 percent.
Last November, I held a security workshop to discuss a six-step process that I recommend to customers to help identify, value, and protect their data.
There are no silver bullets here, but with the right processes in place many of the data breaches we read about over the past year could have been avoided. As well, there are ways in which network-based security solutions can and should play a role in simplifying security architectures. Learn more about Level 3 Network-based Security Solutions.
Source: http://blog.level3.com/security/securing-every-organizations-most-valuable-asset-data-or-if-you-dont-know-where-your-data-is-cybercriminals-will-find-it-for-you/
No hay comentarios.