Over the last year, a series of high-profile cyber attacks caught the attention of media, national governments, and the broader public. Spectacular data breaches like those that affected Colonial Pipeline, JBS, and SolarWinds can have dramatic consequences for the victims, ranging from ransomware payments to significant reputational damage. As a result, it’s no surprise that many organizations design their security protocols to try to prevent “the big one” – the massive attacks that will fundamentally change the way their business operates. These companies take a large-scale approach to cybersecurity, trying to safeguard every single detail of the business without considering which assets are important and which assets aren’t.
An effective data security regime prevents and mitigates the most likely attack vectors and outcomes, and for the vast majority of corporations, the odds of a devastating, multi-million-dollar attack are minimal. On the other hand, the odds of a smaller breach taking place are almost guaranteed. For every attack we hear about in the media, there are many more that never come to light. No company is eager to admit they were breached, even though small-scale breaches will affect every organization regardless of the strength of their security posture.
Unavoidable Data Breaches
Attacks or breaches are always possible because of minor human error, requiring a shift in mindset from prevention to mitigation. The fundamental requirement for mitigating data breaches is a proactive, realistic approach. Prepositioning for an attack minimizes the risks of a large, headline-grabbing breach, but it also ensures that the business can continue operating with minimal interruptions while the breach is being resolved.
To limit the damage of minor data breaches, organizations must gain a clear understanding of where their assets are. In this context, there is a clear difference between assets and infrastructure: While many organizations will focus on technicalities like networks and endpoints, the truly valuable assets are the types of sensitive data that will lead the organization to suffer from a business perspective. From customer credentials to special intellectual property, losing control of these assets can lead directly to serious reputational or financial damage.
Protection Through Planning
Today’s organizations seek to protect the entirety of their organization without understanding exactly which assets need to be protected. Even worse, this problem is exacerbated by outdated technology. Most of the cybersecurity establishment was built before the cloud era, when data was held in a physical warehouse with hardware and a key. In our new architectures, companies now store vast amounts of data off-premises and move information to various destinations both within and outside the organization. While businesses may enjoy the velocity and elasticity of the cloud, the tradeoff comes in the form of increased risk for sensitive data assets.
Solving this challenge requires a three-step approach. Since cloud architectures didn’t account for storing and protecting valuable data, organizations must now take the time to catalog and map all data assets that are housed in the cloud. If the organization understands where the data resides, it can then go through the process of separating data that has business value from data that has no true value to the business. Finally, the valuable data must then be classified according to its business risk – how much of an impact would there be if the data was lost or stolen?
Once an organization grasps these three layers of data management, it becomes much easier to limit the impact of a small data breach. Bad actors look for areas with little to no security because they can extract valuable assets without getting caught. Cataloging the location of sensitive data is the first step towards putting up new defenses, which in turn dramatically reduce the likelihood of an attack.
When an organization is breached, it can be difficult to tell at first whether the attack will be a minor incursion or a major event. Companies must take a proactive, uncompromising approach to security and assume that any small breach could turn into “the big one.” Through vigilance and careful planning, companies can protect their most important assets and eliminate the potential damage of a small-scale data breach.