According to a recent report by the Commonwealth Scientific and Industrial Research Organisation (CSIRO), Australian businesses, government agencies and citizens will see a tsunami of cyber threats in the coming years because of the simple fact that more and more of daily life will take place online.
Indeed, if we learned anything from last year it is that we have a growing data security crisis. The year 2013 showed us that our data and information are more apt to be stolen by cyber criminals and hackers than ever before. In fact, last year was a banner year for data theft. Four of the top 10 data breaches of all time occurred in 2013. In all, according to SafeNet's Breach Level Index that tracks data breaches, nearly 600 million data records were lost or stolen last year globally, including more than 42 million in Australia alone.
Each week, it is hard not to read the news and see a story about a major security breach where customer data was either accessed or stolen. Companies that we all know, use and trust with our personal and financial information have been affected, from major retailers and social media companies to financial institutions. The troubling trend is not necessarily the number of incidents but the scale of the data breaches. It’s likely only to get worse.
Why is this happening? Of course hackers and organised crime are getting more aggressive and sophisticated in the attacks. But that’s the easy answer. The reality we are not willing to face is that conventional data security and breach prevention measures are not working very well any more. Even more worrisome is that there are several technology trends that have the potential to expose data to greater risk of theft if companies do not adopt a new data security mindset soon.
Our world is quickly becoming an Internet of Things where every person, place, thing and organisation is connected to each other through the Internet. The proliferation of the cloud, mobile devices, e-commerce, and social media means that we are creating, accessing and storing data and conducting transactions in more places than ever before. We simply have more to manage and more places of exposure.
In today’s economy, trust in data should mean everything. Already in the first three months of this year, more than 200 million data records have been stolen or lost. Can you imagine a scenario in which 200 million people were made ill by a fast food restaurant’s hamburgers, or if a toy manufacturer’s products injured 200 million children within 90 days? Those types of numbers would be met with consumer outrage due to a shattering of the basic bonds of trust between companies and their customers. However, when it comes to data breaches, there has been a defining down of trust where consumers today simply assume data breaches are inevitable.
As data breaches become increasingly severe and consumers become more educated on what is (and isn’t) being done to protect their data, the 'breaches are inevitable' mindset will change. And with it, the corporate mindset on security will change. For decades, the prevailing wisdom about cyber security has been that a perimeter 'wall' should be built around the corporate network to keep intruders out. However, as the current breach epidemic shows, this approach has not stopped today’s sophisticated cyber criminals.
Trust is at issue here. Here are four security mindsets that security operations professionals can seize upon to help restore customer trust in corporate data security:
- Out with the old, in with the new: Today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, content filtering, threat detection and monitoring. But, if history has taught us anything, it is that walls are eventually breached and made obsolete. Think the Maginot Line. You get the picture. The reality is that breaches will continue to occur.
Companies should assume that threat detection and prevention tools can only go so far, and should be used as part of a broader, layered security approach. The next and last layers of defence need to be around the data itself by surrounding it with end-to-end encryption and the authentication and access controls that provide the additional measures necessary to protect both corporate and customer information.
- Protect customer data as if it were your own: If you want to help your company or organisation earn and retain customer trust, you have to view the protection of sensitive customer data not as a compliance mandate, but as a responsibility essential to your company’s success. Meeting the minimum legal requirements is no longer enough. If a breach hits, and you have encrypted financial data, but not the 10 million records containing customer names, addresses and social security numbers, you’ve broken the bond of customer trust in your brand. Being a better steward of customer data is not just good PR, it is good business sense, too.
- Transparency is the road to trust: Put security front and centre and tell customers about the security measures your company has put in place to protect their data. With the recent dust-up about surveillance, the largest online companies are now much more open about what they are doing to protect customer data. If you are doing something better than the rest of the industry, like encrypting data end-to-end, then you might be seen as a trusted innovator. Transparency is the road to trust.
- Security is a two-way street: Just as you tell customers what you are doing to protect them, tell them what they need to do in order to protect themselves. If a customer experiences identity theft or a data breach while doing business with your company, your brand suffers. A better educated consumer is a safer consumer of your services.
As companies collect more data and customer interactions become more diverse – through mobile, online, email and device-to-device communications – more data about what we do, who we are and what we like is being stored online. At that point, our entire identity as individuals is entrusted to the companies who gather this information.
Perhaps consumers today are not concerned about having their credit card numbers stolen, because there are built-in protections for them. However, if their location information is being co-opted so thieves can rob their houses, the calculus changes. The traditional data security mindset does not work anymore, and if companies don’t wake up to this new reality soon, and decide to change their approach in the best interest of their businesses, the consumer revolt will come and it won’t be pretty.
Dave Hansen is president and CEO at SafeNet and is a frequent speaker at leading security and technology conferences and CIO forums around the world.