Cyber security woes continue to burden the minds of organisations of all sizes. This has been further exemplified by the announcement from C5 Capital to launch the first cyber security-focused venture capital fund in Europe, as concerns about leaks and digital technology securities grow.
The London-based firm is looking to raise $125 million (£74 million) to invest in security and data companies Europe, and highlights that the cyber security threat has certainly become a boardroom issue.
Even previously well protected and “secure” industries such as the public sector have realised that they must take extra steps in order to secure their data.
Every CIO knows that if they don’t get security right customers, employees and the institutions they work with alike can suffer directly, and their role can be perceived as ineffective. Data is powering the transformation of businesses today. Data is powering a new wave of businesses.
The broad adoption of cloud and mobile computing, global and outsourced workforces, and the advent of Big Data are challenging Chief Information Security and Risk Officers to locate, track and protect sensitive and company confidential data while ensuring compliance to data residency and privacy regulations. Responding to the common question asked by CEOs and Boards of Directors, ‘How Secure Is Our Data?’ often is difficult to impossible to answer.
Therefore, a new data-centric security paradigm is required and necessary in order for security teams to be able to define data classification and use policies including at the data’s source. These policies need to follow the data – independent of how it gets proliferated, who requests access, or where it persists, including in the cloud.
Further concerns lie with knowledge in this sector, with the lack of Cybersecurity Professionals. The demand for trained cybersecurity professionals who work to protect organisations from cybercrime is high in many regions, but the shortage can particularly be seen in the government, which does not offer salaries as high as the private sector.
Data masking as a security enabler
Modern data security strategies therefore need to consider two layers: the layer where data is being stored and organised, and the layer where data is being retrieved. Data masking has emerged as a versatile technology for data storage. It is a method of camouflaging data in order to maintain confidentiality of data. The technique is used when the format or type of data needs to remain intact, but the actual data values must be hidden from a user or process.
For example, an organisation that has developed an application to report on its customer data may wish to send the application to a third-party consultant for testing. Wanting to test the application against the actual data set, but not wanting to reveal its customers’ names or addresses the organisation first masks the data, and then sends the application and the masked data to the tester. With this, sensitive information fully remains within the organisation.
Data masking may be offered as an option with database products, or third-party data-masking products can be purchased separately from vendors. Data masking may also be included as part of a data management service on a software-as-a-service (SaaS) platform.
In spite of the growing threat from targeted attacks and the general best practices, data masking deployment remains sporadic and even non-existent in otherwise highly secure organisations. Why? In the past, data masking techniques like encryption required a lot of processing power, limiting their usage. Additionally, many organisations found data masking tools too expensive for broad application. However, these long-held beliefs are no longer accurate, as faster and cheaper tools have emerged in recent years, making data masking an option for organisations of all sizes.
Why mobile security is so important
New research by Forrester shows that IT decision makers are still behind the curve and believe that the desktop PC is more secure than the mobile device for work purposes, when in fact the opposite is true. Much has been discussed about the declining PC market and this has highlighted that mobile security needs to be a serious consideration.
Mobile devices replace the laptop in many cases, and they are being used as transaction processing devices, for example at the point of sale. For all of these reasons, having a strategy for protecting mobile devices or the applications that run on those devices and related sensitive information is critical in minimising the impact of a potential wider breach.
Here, two predominant areas have advanced over the last ten years: First, ‘Mobile Device Management’ solutions provide the ability to delete content on a mobile device based on certain events, such as a lost or stolen device or a device being tracked into a location where certain information is not allowed. An example for this is a retailer who gives its employees iPads to process transactions. If the iPad is taken from the store’s premises, the device including all data is automatically wiped out, making it useless.
Another market that has expanded is data encryption and tokenisation. If certain data fields, such as credit card information, are stored from a mobile device, that data can be encrypted or tokenised on the device to minimise the scope of a PCI audit as well as preventing a breach. Also, Virtual Private Network technologies that apply secure tunnel connections behind corporate firewalls have now been adapted to mobile devices.
Their increased computing capability does not impact performance too much. Plus, apps run reasonably well when using a VPN connection due to the high network bandwidth now available via cellular technology.
Threats on the horizon
In modern day, the biggest hazard an organisation faces is the lack of knowledgeable skillsets in mobile security and potential threats. Data security expertise has been one of those skillsets considered in serious shortage for some time now. Given the rapid change of the mobile device landscape, as soon as you invest in training your team on the latest threats, new technologies emerge that require more catch up training.
Also, given that consumers and the next generation of the entitled workforce have expectations that they can conduct business from their mobile devices, the pace of application development and rollout will accelerate faster than the security’s team can keep up.
It is imperative for vendors to work together to jointly create an optimum process to combat cybersecurity.. Data Integration products do not make security products redundant, but they can make them more effective by pointing them at the highest-risk data that needs to be protected.
Data integration complements rather than competes with security technologies, and it is designed to help organisations narrow down where sensitive data resides, physically and logically. Only then they can prioritise which stores need to be better secured, with which types of security technologies.
So it is more than high time for all businesses to implement an adequate and efficient data security strategy. For this, the starting point should always be: what data do I store, where do I store that data and who has access to data? Once a clear picture emerges what happens to data where, when and by whom, its storage and retrieval can be made more secure.
Data is increasingly perceived as a currency, and it should therefore be treated as such: by putting it in a safe place and making sure any exchange is authorised.
Julie Lockner is VP of ILM Product Marketing at Informatica