Pop quiz: how many data records are lost or stolen on an average day? 1 million? 3 million? 6 million?
If you answered 6 million, you’re correct, according to the Breach Level Index. According to the Index, 14.7 billion records have been lost or stolen since 2013, or more than 2.2 billion per year.
When a data breach happens, people often think of the security risks first. And yet, it is the business risks that are truly worrisome. For example, stolen credit card numbers can result in monetary penalties, loss of market share, criminal charges, civil lawsuits, damage to company reputation, or all of the above.
In a bottom-line driven world, organizations should evaluate their security investments based on their ability to lower risk, especially business risk. That’s because your business has, or is likely in the process of, evolving into a digital business. And that means your main financial opportunities, as well as your risks and liabilities, rely on your business’s data.
Problematic Focus on Perimeters
Tall walls and stout gates make a strong castle. However, the virtual equivalent — perimeter and edge-based security — does NOT prevent data breaches.
Polymorphic malware makes detection difficult, while file-less attacks can also sidestep traditional defenses. Meanwhile, the proliferation of security tools means the average business gets alerted for thousands of events per day, creating alert fatigue inside many security teams. Moreover, a focus on perimeters means that security teams may ignore insider threats — both malicious employees or ones whose accounts have been compromised (see more below). As a result, bad actors will continue to find their way into your network and sniff out your crown jewels — your data.
Lockdown security also fails to empower a digital workforce to better serve customers while protecting data. Take the popularity of mobile work and BYOD. Protecting just company-owned tablets and smartphones and locking down devices connecting to the network has become obsolete. The reality is that your organization’s sensitive data is scattered across many devices, apps and locations (such as partners and customers), and that needs to be protected today.
Challenges with Role-Based Security
Identity Access Management (IAM) systems would seem to fill in the gaps left by edge-based security. However, IAM systems and other role-based security are not designed to detect breaches, but merely to make decisions on whether to enable access to a given asset, and to determine what level of access is appropriate. That makes IAM systems blind to insider threats — so blind, as my colleague Terry Ray points out, that nearly half of security professionals think they could execute a successful insider attack on their own organization.
Also, relying on privileged credential vaults creates its own potential vulnerability. Many Privileged Access Management (PAM) systems rely on a password vault; if breached, attackers have the keys to your castle. And few PAMs can detect breaches, at least out of the box.
How Modern Database Security can Help
If data is king, it only makes sense enterprises rethink their data security strategy. Here’s a few suggestions:
- Use machine learning and security analytics to uncover suspicious data access activity and pinpoint true risk to your data without alert fatigue;
- Continuously monitor how users and applications, including privileged accounts, interact with your data. That way, you know who’s accessing what data, and how that data is being used. Analytics can pick up on changes to user’s behavior and identify compromised accounts or insider threats.
- Real-time alerts if security policies are violated
- Contain potential data breaches by blocking or quarantining suspicious user access once identified
- Identify sensitive data in your hybrid environment, both cloud and on-premises
Quantifying Data Breach Risk
Imagine a financial services company that is concerned about its applications being compromised, leading to the exposure of 100 million customer records. If a breach happens, all of those customers must be notified. Sending a letter to everyone would cost roughly $1 per individual, minimum. Not to mention the additional fines, lawsuits, loss of clients, damage to reputation, and more.
If that same company set a policy limiting a single query to pull a maximum of 10,000 customer records at a time, that would greatly limit the immediate damage of any breach. That’s something only a data security solution can enable. Which is why data security is much more effective at risk mitigation.
To learn more about why data security is a must and how it complements other security technologies such as Data Loss Prevention (DLP), encryption, and User Entity Behavior Analytics (UEBA), check out this webinar Risk Buydown: Why Data Security is a Must and see what Ovum senior analyst Rik Turner has to share.