“Data is the new oil”. Many of us have heard this phrase time and time again – but like any good saying, it has stood the test of time – it’s an apt comparison to make. Just like oil, data on its own isn’t particularly valuable, but if harnessed, it can become extremely powerful, says Chris Harris, CTO for Europe, Middle East and Africa at Thales.
In today’s information age, forward-thinking organizations use data to innovate; something we have seen in every single sector and industry. It can help businesses revolutionize the way they work, deliver new products and services, increase efficiency and provide a more personalized service to customers. At the same time, cybercriminals and bad actors also know that data is the lifeblood of any business and as such has become a commodity ripe for exploitation – with business and consumer data at risk. It seems hardly a month goes by without news of another high-profile data breach hitting the headlines. These breaches carry consequences for the consumer whose personal data and identity has been put at risk, and for the businesses that are essentially the custodians of that data.
The call for mandatory data control
As discussed, data breaches are unfortunately commonplace – bad actors are increasingly finding new ways to steal data – and although organizations can take action, we will still see these breaches happen. But what do consumers think should happen to these organizations next? We recently undertook a global survey of more than 21,000 consumers to gauge attitudes towards trust when it comes to their data. Interestingly, more than half (54 percent) believe that organizations that have suffered a data breach should be forced to implement mandatory data protection controls such as encryption and two-factor authentication.
Some 54% say organizations should be legally required to put these measures in place before offering compensation to victims (53%), hire more specialists to make sure it doesn’t happen again (46% ), find and return victims’ data (43%), or have to pay a large fine (31pc).
How to inspire confidence
According to the findings, social media companies (18 percent), government (14 percent) and media and entertainment organizations (12 percent) are the sectors that appear to have the lowest levels of consumer confidence when it comes to protecting personal data. Perhaps unsurprisingly, consumers are becoming increasingly security conscious and are making their product and service choices on that basis. A quarter do not want to use services that are not encrypted, while one in five have stopped using a company that has suffered a data breach.
Getting the basics right
Networks are constantly being probed and scanned by threat actors, so organizations must find a way to securely store and move the vast amounts of data that is generated every day—all without compromising the user experience.
Encryption is the starting point here. By implementing encryption, organizations can protect all structured and unstructured data that resides in their on-premises, virtual, public cloud and hybrid environments. To fully protect against insider threats and malicious attacks, they must implement encryption for both data at rest and data in motion. The latter measure is especially important because data-in-flight encryption helps protect an organization’s data, video, voice, and metadata from eavesdropping, surveillance, and other interception attempts.
Once encryption is in place, organizations must consider key management. If a bad actor gains control of an organization’s cryptographic keys, he can abuse them to decrypt the organization’s data, create fraudulent identities, and generate malicious certificates. Key management control gives organizations a means by which they can securely manage, store, and use their cryptographic keys.
Let’s not forget identity and access management (IAM). In recent years, new work trends accelerated by the pandemic have dissolved traditional boundaries – a company no longer exists within the confines of an office and has expanded to include remote employees, partners and customers. In response to these developments, organizations must implement controls that limit the work-related resources that employees have access to based on their job duties. These controls should include the use of multi-factor authentication (MFA) to protect user accounts even if threat actors succeed in compromising their credentials.
These measures should be incorporated into any organization’s data protection strategy and constantly reviewed and updated to align with the ever-changing threat landscape. The customers have had their say; they recognize the importance of their data and will stop using services that do not implement these measures. Building in tighter encryption, authentication, and data security measures is a one-way street that organizations can begin to deal with extremely low levels of trust—and it’s time for organizations to take this seriously.