Today every company is a data company. Every business, no matter what sector it claims to be in, is producing extraordinary amounts of data which is growing in size every day. We are all operating in the information age and data has become the most valuable commodity a business owns. There's so much value locked away in it.
With massive increases in data comes risk too. And when nowadays there’s no longer a perimeter to protect, maintaining a strong security posture is challenging.
The problem most organisations have is getting visibility of their data at scale, right across the organisation. The sheer volume and complexity of data is a huge challenge. It’s easy enough to find the data held in one data store, particularly when it’s structured. Most storage comes with rudimentary data discovery. But it’s perceived as impossible to get visibility of structured and unstructured data across multiple data stores for the purpose of securing it.
The reality is that the management of data is a concern for data security and governance professionals. With remote working becoming the norm since Covid-19, getting visibility of devices, users and who owns them is almost impossible. Which means nowadays, a lot of the burden of information security policy, privacy and protection relates to securing the data that’s held by the organisation, so getting to grips with it is crucial.
We were recently joined by data security and governance specialists, from leading UK companies in a roundtable discussion to identify their challenges. They said that insider threats and the need to lock down data at source was one of their major priorities. To read the report written after the event, click here.
“When I’m working on stuff, I ask where’s the trust in the employee? Where do you draw the line saying, ‘I trust you as the employee’, because you have to?” European Data Privacy Officer for a bank specialising in wholesale assets
“When I’m working on stuff, I ask where’s the trust in the employee? Where do you draw the line saying, ‘I trust you as the employee’, because you have to?”
European Data Privacy Officer for a bank specialising in wholesale assets
All it takes is one mistake. Sensitive customer data saved in a spreadsheet on a local drive. A written down password. A file wrongly shared...
The average size of a data breach increased 1.8% to more than 24,000 records compared to the previous year. Source: The Ponemon Institute
The average size of a data breach increased 1.8% to more than 24,000 records compared to the previous year.
Source: The Ponemon Institute
Information security policy and data security as a whole, remains a top business priority for good reason, because a single small mistake can lead to lasting reputational damage that’s costly to repair.
In the ideal world organisations would be able to protect themselves against a breach happening at all. But everyone knows that there’s data lying unprotected all over any business leaving it exposed and vulnerable.
Therefore, for organisations to ensure that their data is adequately protected, they need to know what data they’ve got, at scale, right across their estate including structured and unstructured information.
Once the data is discovered, organisations can lay the foundations for comprehensive data security. So in an age where securing the perimeter becomes redundant, where should the security focus be?
The biggest threat to data is your people. 66% of cyber breaches are caused or enabled by employee negligence or malfeasance. World Economic Forum
World Economic Forum
In simply performing their jobs, employees can become the ‘unintentional internal terrorist’ because they negligently keep and store high-risk information, and leave it unprotected in the wrong place.
More common is employees sending sensitive data outside the business by accident, in the process of trying to get their jobs done, causing an information security breach. However, businesses cannot expect their employees to understand data management or how to protect data in huge detail, especially when nearly everyone is working from home. A basic understanding of data protection: yes. But expecting people to adhere to the highest standards and intensive detail around data governance is unrealistic.
There is a balancing act to be undertaken to weigh the merits of robust data protection against productivity. The internal environment needs to be opened up so people can work effectively and efficiently whilst at the same time protecting data.
Not all data is stored in locked down databases. Yes, there will be a number of CRM and storage systems in place for sales, finance and HR that keep everything ordered and structured - some on- premise, others in the cloud.
Every CISO knows that it’s not a case of ‘if’ there’s a breach, but ‘when’ hackers try to break into the data estate from the outside.
Threat actors have something that none of us do: time. The average dwell time of a hacker who gains access to a network is 10 weeks. Generally once on the inside, they can move around with relative ease. They observe behaviour and activity before they grab the goods.
A large organisation can have literally thousands of systems and storage facilities. And keeping on top of them all is a huge challenge. Over time they can be forgotten. Unless they are known about and constantly secured, they are vulnerable to hackers determined to get inside and who are prepared to exploit the tiniest vulnerability to do so.
The risk is that forgotten systems may contain valuable or sensitive data that nobody is aware of and which represents a risk.
It’s a fine balancing act. On one side, organisations must lock the business down to secure the data and protect it from harm. But on the other side, they need to open up the business to provide greater access to the information people need to do their jobs.
The answer lies in the data.
The fact is, no business can protect itself from an insider or external data breach until they get a handle on all of their data – both structured and unstructured. The first step has to be to discover what’s there, where it’s stored and whether there’s sensitive data within it.
When an organisation has visibility over its data, they acquire the insights to determine what needs to happen to that data to protect it – whether that’s nothing because appropriate controls are already in place, or taking remediation actions to either move the data or delete it with confidence.
Then by wrapping the right methodology, technology, and processes around the data, the business empowers its employees to continue working in any way they choose, without having to follow undue data process and procedure. And the business doesn’t need to worry, because if people start to do something risky with the data, they’ll be nudged to do the right thing, in the moment.
By gaining visibility over all the data lying within the estate, a business can prioritise its risks, take action to protect the data at source, and in addition reveal the value in its data too.
“Data should be used to protect and power organisations and the people they serve. When an organisation becomes information intelligent, it’s able to secure data, extract its value and manage the ongoing complexity of its data estate.” Danny Reeves, CEO, Exonar
“Data should be used to protect and power organisations and the people they serve. When an organisation becomes information intelligent, it’s able to secure data, extract its value and manage the ongoing complexity of its data estate.”
Danny Reeves, CEO, Exonar
The journey towards effective security must encompass people, process and technology. The following is a model that we’ve created, which helps organisations to successfully lay strong foundations to build a more effective information security strategy:
The first step towards a stronger security posture inside the data estate is to create the policies and processes that set out the intentions for how the organisation will deal with its data. These lay the bedrock for successful data security and governance.
From speaking with several data and security professionals, we’re finding that while most organisations have documented data protection and privacy policies in place, a lot were simply a way of ticking the GDPR compliance box. When it comes to enabling business-as-usual, these policies fail to support people in carrying out their day-to-day duties. One of the biggest areas of concern this leads to is retaining data ‘just in case’ because people don’t have the confidence to delete.
“One of the biggest challenges we have is how long data is kept for. Some people don’t want to let go of it in case it has value in the future.” Digital Data Director, quoted in ‘The Great Data Conflict’
“One of the biggest challenges we have is how long data is kept for. Some people don’t want to let go of it in case it has value in the future.”
Digital Data Director, quoted in ‘The Great Data Conflict’
By taking the time to evaluate their current policies and processes, organisations have the opportunity to re-think data privacy and how it can be ingrained into business-as-usual in a way that helps their employees to do the right thing with data.
As the ones on the frontline, it’s an organisation’s people who need to follow and enforce these policies as part of business-as-usual. Data security and governance should be so ingrained into people’s thinking that it sits front and centre in their minds every day.
And yet our own research indicates that during COVID-19, 1 in 10 UK home workers have little to no understanding of their company’s data policies, while 1 in 4 claim they ‘rarely or never’ consider data protection issues when sharing information.
When a policy is treated as a tick-box exercise, it’s destined to sit in a fileshare gathering dust. Never looked at, never thought about, never enforced.
But when it’s ingrained into a company’s DNA, it becomes a part of the culture. When people understand why data protection and privacy is important, they actively want to take better care of it. In one of our roundtable events, the data governance and security professionals concluded that when an organisation talks about its data in terms of the people it represents, everybody – from the senior leadership team right through to the frontline staff – understand why it’s so important and needs protecting.
"When you engage with people, it's a different conversation." Data quality and analytics expert, quoted in 'Managing data as an asset and a risk'
"When you engage with people, it's a different conversation."
Data quality and analytics expert, quoted in 'Managing data as an asset and a risk'
In the information age, organisations produce extraordinary amounts of data, which continues to grow in size every day. And while some of this data is neatly structured in protected systems and databases, the majority of it is lying unstructured across the estate, potentially unprotected against a breach.
Therefore, the priority for organisations is to identify exactly what data they have within the estate, because once they know what’s there, where it is and who has access to it, appropriate remediation actions can be taken to:
Secure data: keeping sensitive confidential and personal information secure.
Extract value: mining intellectual property, research or insight within information and data.
Manage complexity: managing the volume, such as migrating data to the cloud.
With Exonar, we’ve focused on how to provide unprecedented visibility of organisational data at scale, coverage and detail.
Firstly, we do this by enabling our technology to index any data set within any type of data repository, so it becomes instantly searchable.
It’s a bit like a reference book. Rather than start at the beginning every time to search for a precise piece of information (assuming the user even knows what this piece of information is), Exonar unlocks the power of the index. Now every piece of data is identified and recorded, with the technology constantly re-indexing the data to identify what’s changed, what’s new and to understand the context of the data.
We then enrich this index by adding content and meta data descriptions, before augmenting the index through:
It’s the power of Exonar’s indexing capability, along with the scale it can achieve with hundreds of billions of items across structured and unstructured data, that makes it unique in the data discovery space.
Organisations can’t start to protect something until they know it exists, and only Exonar has the ability to identify ALL data sets – both structured and unstructured – allowing users to query the data in any way they choose and produce real-time search results.
Exonar is the layer in the technology stack that allows organisations to get the most out of their enforcement technologies. Because Exonar is focused on discovering data at scale, it’s specifically built to plug into third- party systems to carry out the appropriate remediation actions, so users retain full control of their data estate and reduce the security threat.
There are 5 main categories of enforcement technologies that we see our customers using, alongside many others:
Having continuously evaluated the competitive landscape for well over a decade, we are yet to discover a ‘one size fits all’ data-related technology. Instead, different vendors focus on developing
the best technology within their niche – whether that’s data discovery or enforcement technologies – which is why organisations need to take a blended approach. By opening up the APIs and integration packs, organisations can build a bigger and better architecture that delivers effective information security with data discovery.
To discover more about the technologies covered in this section, watch our on-demand webinar: ‘Why data discovery matters in a zero trust world’
Having discovered what data is within the estate, and integrated other technologies to take appropriate remediation actions, the final step on the path to becoming an information secure organisation involves adding a layer of operational process and record keeping.
Once the organisation starts to record KPIs for internal auditing purposes, it enables the business to monitor and better understand its data on an ongoing basis so it can identify areas for continuous improvement.
“Group wide, our programmes are all dependent upon having clean, accurate, up to date information to enable the business to drive its commercial goals.” Privacy business analyst, quoted in “Turning data governance policy into practice in 2020”
“Group wide, our programmes are all dependent upon having clean, accurate, up to date information to enable the business to drive its commercial goals.”
Privacy business analyst, quoted in “Turning data governance policy into practice in 2020”
In reaching this point, an organisation has achieved an effective security architecture that starts with the data, balancing the need for security and increased access to information.
Taking a step-by-step approach to add layer upon layer of good data management and security practices, organisations establish the modern architecture they need to strengthen data security in the information age because it enables them to:
Using data policies and process, organisations can lay a strong foundation, before turning those policies into practice through employee awareness, training and culture.
Then by discovering and classifying all the data across the estate, organisations can better implement the enforcement technologies to take appropriate remediation actions to secure data.
Finally, establishing the operational process and record keeping, organisations gain the insights into how they can continuously improve to strengthen their security posture. And reveal the value in their data, enabling them to power the organisation for the benefit of the people they serve.
See our Live Demo: How to get visibility across all your structured and unstructured data
When you’re ready to start the data discovery process, you couldn’t be in safer hands than with Exonar.
The Exonar smart index enables data to be used to protect and power the organisation - billions of items all viewable and manageable in one place, and instantly searchable via a user-friendly browser interface.
“Exonar’s software is the most comprehensive and effective data discovery solution we’ve been able to find.” CTO, Global Pharmaceuticals Company
“Exonar’s software is the most comprehensive and effective data discovery solution we’ve been able to find.”
CTO, Global Pharmaceuticals Company