Click here to learn more about author Ian Rowlands.
I’ve been arguing for some time (I know there are others with more clout than me saying the same thing!) that Data Security is a critical Data Governance issue. Recent reporting by the Identity Theft Resource Center[1] adds point to the argument.
ITRC statistics suggest that 2015 saw just two fewer data breaches than 2014’s record high. It seems likely to me that there were many more breaches than they included in their selective criteria. Nevertheless, the statistics are depressingly impressive. By their reckoning, 781 breaches impacted more than 169 million data records. 35% of the breaches were healthcare related implicating 67% of the impacted records. Digging into their data shows that there were many breaches for which the number of impacted records were unknown. It’s highly likely that if you’re reading this, a breach has exposed your data!
I don’t see anything that’s going to stop the flood of attacks on data privacy. I’m convinced that the balance of intellectual power between the attacker and the attacked isn’t going to shift in favor of the attacked any time soon. In the credit card industry alone, industry watcher The Nilson Report[2] predicts that the cost of fraud will rise from $16.31b in 2014 to $35.54b in 2020. The Data Theft industry is only going to be more profitable, and data under the attack will be the new normal.
If data under attack is the new normal, what does that mean for data governance? Data has to be cataloged, classified and appropriately defended.
It may be that the most threatening data you have is the data you don’t know you’ve got. Or. More accurately, the copies you don’t know you’ve got. I’m going to assume you know your data. The risk is that copies get created – for good business reasons – that escape your secured environment. Continuous discovery of data assets is a vital protection. You can’t afford gaps in coverage. The principle is critical and identified as such in the ISO/IEC 27002 Standard Code of Practice for information security controls.
Data protection is like any other type of protection. The more you have, the more it costs. The better protection you want, the more you are likely to spend on hardware, software, and expertise. That makes it essential to apply levels of protection appropriate to the cost of exposure of any given data assets. You should reserve the most expensive protection for the assets whose theft would cost the most. The implication is that recording the security classifications of data has to be a routine “good housekeeping” practice. The Code of Practice calls out this one too, along with the requirement to establish ownership. That requirement, to me, implies that Data Security MUST be a Data Governance domain.
Finally, of course, comes active defense. Appropriate protection spans the data lifecycle from acquisition to disposal. Organization, hardware, software, location and environment … every item needs to be considered and cataloged.
Data under attack is the new normal. Data security as a Data Governance domain is the strategic response.