A lot has been written about Enterprise Security over the years and there has been a marked shift away from perimeter protection and siloed enterprise applications and data security towards a more integrated data-centric security approach.
This paradigm shift applies to all technology platforms across the enterprise including the HPE NonStop. While the HPE NonStop platform doesn’t appear to be targeted by hackers much, a good and solid data protection policy applies, nonetheless.
This article looks at the latest trends in Enterprise Security as highlighted at the InfoSec event in London in June 2023, the importance and benefits of data-centric security, the relevance of the new PCI DSS 4.0 standard, and the true business value beyond data protection.
Enterprise Data Protection – the latest trends
There’s no better way to understand the biggest threats to enterprise cybersecurity than spending a few days at Infosecurity Europe. The region’s largest cybersecurity conference and trade show, held each June in London, invites CISOs and industry luminaries from across the globe to share their insights. Worryingly, the consensus at this year’s event was
that the bad guys are pulling ahead, while network defenders struggle to manage an ever-expanding attack surface. The big picture is this: enterprise data has never been more exposed to external attacks. It should provide yet another reason to double down on data-centric security as a core priority.
But organizations don’t have to be caught in this “cyber storm” if they put more of their effort into protecting what matters most: their data.
The latest trends from Infosecurity Europe
This year’s keynotes provided a fascinating insight into the threat landscape. Among the key trends discussed and debated at the show were:
Cybercrime is undergoing a renaissance: Noted security researcher, Keren Elazari, urged security teams to take a leaf out of the hackers’ book, as cyber-criminals continue to innovate at speed. She cited ransomware-as-a-service (RaaS), and highly automated campaigns that deliver phishing, credential stuffing and scanning/exploitation capabilities as helping to give malicious actors the upper hand. It’s only a matter of time before they also adopt AI technologies like ChatGPT to generate malicious code with little effort, she warned.
Training is key to overcoming the insider threat: Experts argued that managing human-shaped risk is essential to driving successful digital transformation. Gemserv head of data privacy, Camilla Winlo, pointed out that many organizations still don’t provide enough hands-on training for end users, which can expose them to cyber risk if they make mistakes like spilling credentials, or deliberately finding insecure workarounds. Organizations should “remember the people” by including them in the design of products at the outset, experts said. This will help to reduce cyber-related risk and training costs.
Workers are too susceptible to phishing: A third of employees in the UK and Ireland click on suspicious links or engage in fraudulent actions, according to new research released at the show. As above, it highlights the risks associated with staff members if not properly trained. With credentials stolen from employees, threat actors can easily bypass perimeter defences to traverse networks and reach sensitive corporate data.
Verizon’s latest Data Breach Investigations Report(DBIR) has a similar message. It found the “human element” was present in three-quarters (74%) of breaches over the past year, due to the use of stolen credentials, social engineering tactics and other factors.
Asset visibility gaps can give hackers the upper hand: Another piece of new research announced this week found that a lack of IT insight into IoT devices could provide attackers with a useful way to enter corporate networks. A third of UK NHS Trusts admitted to having no method of tracking IoT devices and 10% said they use manual processes or spreadsheets to do so. Some 15% said they don’t track connected medical devices (IoMT) at all.
Separately at the show, Forrester revealed that the share of organizations experiencing attackers “trying to leverage IoT devices to get into the business” increased from 41% to 54% during Q1 2023.
APIs are expanding the attack surface: Finally, there was a note of caution about API security. Misconfiguration and gaps in protection are leaving many APIs wide open, providing a readymade pathway into enterprise data, warned one CEO at the show. As digital transformation projects continue to drive the creation and use of APIs, more attention will need to be focused on securing them and the data behind them.
Why data-centric security?
All of which can seem like network defenders have already lost the battle against rampant cybercrime. However, the ongoing struggle against cyber adversaries doesn’t need to be this one-sided. There’s plenty organizations can do to enhance their resilience to cyber risk. It starts with improving security awareness training and following other best practice cyber hygiene steps like multi-factor authentication and network monitoring. But a priority should be data-centric security.
In practice, this means finding and classifying data wherever it resides in the enterprise, including in cloud stores, and applying strong protection to it—such as tokenization. This must be a continuous process that applies to data throughout its lifecycle. By protecting data in this way, organizations have a robust bulwark against cyber risk, even if threat actors manage to bypass other defences.
Finding and Protecting Cardholder Information: Why Data Discovery and Classification Matter in PCI 4.0
Terms and themes like “data privacy”, “data protection”, “regulation”, and “compliance” are well known amongst organizations operating in complex digital environments and have become a focal point for large enterprises operating with sensitive data. Alignment with regulatory mandates seems simple in theory. However, organizational stakeholders know all too well the challenges that arise with compliance and the impacts they have on business continuity and operations.
More often than not, financial services organizations are very familiar with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS outlines and enforces measures for managing, possessing, or analyzing the payment and personal data of cardholders. The regulation has gone through several iterations over the years, with the original version establishing a consistent framework for the security of payment card data and subsequent versions addressing the growth of security threats relative to the evolution of enterprise-level technology solutions.
PCI DSS 4.0
PCI DSS v4.0 will partially go into effect in March 2024 and fully in March 2025, presenting complex challenges. Several updated measures have outlined new and updated requirements that organizations will have to solve: scope measurement, regular reporting, classification of data by risk, inventories of systems and applications, encryption requirements with quantum-resistant algorithms, stronger password requirements, and more. And compliance with PCI DSS is no small feat. The coordination of numerous individuals, teams, and departments with different operations, strategies, and goals is a massive obstacle. Organizations and enterprises will have to task privacy, security, IT, operations, and business teams more so than ever to achieve compliance with PCI DSS v4.0 which will be a determining factor for future success.
At this point, you may be asking yourself questions like “How do I mitigate noncompliance?” or “Where do I even begin the journey to PCI compliance?”. These questions are rational and fortunately, there is good news.
Let’s start with an example; imagine you enter a maze. Yes, it is possible to reach the end after trial and error. However, what if you had a map? What if that map outlined dead-ends, hazards, and optimal routes that would have saved you time and resources while increasing the efficiency and effectiveness of your efforts?
comforte’s Data Discovery and Classification serves as that map and helps organizations achieve PCI compliance—not just once, but continuously. The solution autonomously locates each sensitive piece of cardholder information–PANs, credit card numbers, social security numbers, etc.—that removes the risk of human error and only searching known data repositories. With technology that performs with unmatched accuracy and identifies new sensitive data elements as they enter a network, users can obtain a living blueprint of their entire ecosystem relative to sensitive cardholder data. As a result, organizations and enterprises gain a comprehensive understanding of the full data lifecycle with accurate measurement of sensitivity levels. Without a high-performing discovery and classification solution, it’s immensely difficult to prioritize and apply protection strategies and financial services companies are more likely to face noncompliance blowbacks.
Time is of the essence
With less than 2 years until PCI DSS v4.0 is in full effect; organizations must act now. Fortunately, comforte’s Data Discovery and Classification offers a range of integration options resulting in quick deployments and fast time-to-market. Organizations that implement solutions that are complex, not easy to integrate, and resource-intensive could face noncompliance penalties—which isn’t something to disregard as numerous examples have been seen in recent years.
Many of us remember the Equifax data breach in 2017 which resulted in more than $400m in damages for noncompliance penalties. Even more so, organizations can still be compliant and face risks. In 2018, British Airways was PCI compliant, but hackers still successfully attacked their network and nearly 400,000 individuals had their data compromised. The airline was originally forced to pay nearly £183m but was able to later lower that amount. Current PCI compliance violations can range anywhere from $5k to $100k monthly depending on the quantity, severity, and amount of time that has passed since the incident occurred.
Many organizations act too late over various fears and uncertainties. Fortunately, they don’t have to. comforte’s Data Discovery and Classification provides the path to compliance.
Beyond Compliance: The True Business Value of Data Protection
At times of economic uncertainty, there’s a tendency for boards to hunker down and maintain business as usual. But the leaders of their respective industries often see it differently: as a period of opportunity. These organizations are also more likely to view data protection as a growth driver than something to maintain the status quo.
If organizations want to optimize their use of data protection technology, it must be seen as more than something to keep them compliant and resilient to cyber risk. It should be embraced as a genuine tool for growth and achievement.
A hierarchy of intent
Gartner’s hierarchy of intent model is a useful way to frame this discussion. At the bottom of the pyramid are those externally driven factors which amount to avoidance of risk. Arguably businesses with a low level of maturity when it comes to data protection are more likely to focus here. They want to make sure they’re not breaking any rules (compliance), and they want to avoid risk and damage (security). Data protection can, of course, help to deliver both.
But that’s only part of the value it can provide. For more digitally mature organizations, the focus becomes less on “how can we avoid risk” and more on “how can we make a difference.” This is about using data protection to support internally driven values and even ethics. When viewed proactively like this, it becomes a more dynamic driver of success.
From avoidance to achievement
Of course, there’s nothing wrong with using data protection to mitigate risk. Data is the lifeblood of any modern business but is created in such quantities that it can be difficult to keep track of. This, plus an expansive corporate attack surface created by major digital investments over recent years, puts data at a heightened risk of theft and extortion. Last year was a near record for publicly recorded data breaches in the US.
In this context, effective data protection is a must-have for any board to mitigate the risk of serious breaches and adhere to rigorous global compliance requirements. Fail to do so, and the organization could be exposed to:
- Major compliance fines
- Operational outages
- Lost productivity
- Breach fallout costs (e.g., legal, notification, forensics, and investigation etc)
- Reputational damage
However, avoidance of compliance and breach risk should be table stakes for boardrooms today. To truly differentiate, they should be leveraging data protection to achieve greater things, like enhancing customer trust and loyalty. In a world where loyalty is hard won but easily lost, this is no mean feat. A third (32%) of customers say they’d leave a brand they love after just one bad experience.
Another way companies are using data protection in a more mature way is to support analytics. Increasingly, AI-powered data analytics is the key to competitive differentiation, providing organizations with the critical insight they need to make better business decisions. It could be a retailer using customer data to improve targeted advertising and marketing efforts. Or a bank using AI to pick out signs of fraud that human eyes might miss – automatically and continuously. None of these efforts would be possible if the data itself isn’t protected in a way that still supports utility.
How can get you there?
The bottom line is that data protection has obvious value to businesses. But it can do more than reassure security and compliance officers that risk is being correctly managed.
This is where comforte can help. Our Data Security Platform provides continuous discovery and classification of data across the enterprise, even in often opaque cloud environments. And it offers a range of protection technologies, including tokenization, which means data can still be used by analytics and other teams without compromising on security.