Major gold rushes might have taken place in the 19th century, but gold rushes are far from over. In fact, there is a slightly different type underway online right now. Only this time, it is enterprises and businesses that are currently rushing towards digital transformation.
This rush to embrace new environments has created more attack surfaces and newer risks for data that needs protecting. Findings from the 2018 Thales Data Threat Report (registration required) of 1,200 senior executives in Germany, Japan, India, the Netherlands, Sweden, South Korea, the UK, and the U.S. makes for fascinating reading. In the 2018 report, 67% of respondents were breached, with 36% breached in the last year – a marked increase from the 2017 report, which saw 26% breached in the last year. As a result of this, 44% of respondents felt “very” or “extremely” vulnerable to data threats.
Jon Geater, Thales eSecurity CTO thinks the 44% statistic implies that businesses are not doing enough about it. 'Where this comes from is that there are lots of trends in the computing space like cloud and digital transformation that force businesses online. So we had a slow and steady change where more and more systems were exposed. And that led to a scale of exposure that people have not had before.
'On-prem has been bad especially with the usual perimeter mindset. And we know that hybrid cloud and mobile share data between themselves. It is the data sharing that we hear most of all and that is really challenging people to put systems in place.
'With new systems in place, you tend to self-report a lot too. And it is this growth in the number of reported breaches and the determined nature of the adversary that we find difficult to deal with.This is better because it is faster, cheaper but more complex.
'The feeling of vulnerability isn't just because of the increase in the number of reported breaches and because more attacks are coming to light - recent examples of this would be Spectre and Meltdown.
'Data security is increasingly becoming a C-level issue. Not only do we need more eyes but also money on remediating the problem. More that data security is a financial.
Peter Galvin, chief strategy officer, Thales eSecurity says: 'From cloud computing to mobile devices, digital payments and emerging IoT applications, organisations are re-shaping how they do business. And this digital transformation is reliant on data.
'As is borne out by our report, we’re now at the point where we have to admit that data breaches are the new reality, with over a third of organisations suffering a breach in the past year. In this increasingly data-driven world it is therefore hugely important to take steps to protect that data wherever it is created, shared or stored.'
Geater continues, 'The scale of breaches is getting bigger, more people are seeing them. For some businesses, it is a matter of all or nothing because inside the data estate, if the data isn’t partitioned well, it could turn out to be a risky proposition for the organisation. And in case, you have a database with several millions of entries, then it is a big issue. So it will take just one attack before your entire database is gone. Up until now people never really understood that you could lose everything in one day. They can understand that now.'
I ask him if he thinks that we are seeing more instances of breaches being reported because businesses are saying they have been breached before GDPR (and its famous fines) hits in May 2018. He points towards the increasing cost of breaches for the businesses affected, without the fines.
'It is definitely true that GDPR is making people put defences in. But the fact is that there are genuinely more things happening and this is coupled with an increased awareness of data security in the board room.
'This year we have noticed that compliance is not the top driver for businesses to be falling in line and getting their acts together. This year it is financials. Security breaches create a vicious circle: You hear the news which says an instance is serious. This leads to people getting fined. Once a business has been fined, it goes straight to the Board Room. For a long time, simple compliance has been the top driver for implementing security.'
In the Data Breach Report, 77% of respondents cite data-at-rest security solutions as being most effective at preventing breaches. According to Geater, this is because it is a 'Bang for the buck' solution.
'These solutions are not the most sophisticated. But they are very easy to configure and protect against most small scale issues like in the case of the US security data breach where military records were breached from AWS. In that case they had simply forgotten to patch S3 correctly; in fact 40% of AWS buckets are misconfigured! However, if you have a very sophisticated online attack, where the malicious actors are deliberately stealing data with pre-existing knowledge of the organisation ... data-at-rest solutions will not help.'
All in all then, the landscape has changed. A particular issue is the hybrid cloud which stretches the attack surface. That’s where data encryption comes in. Protecting data is more important than protecting perimeters, endpoints, and cloud services. Leaving data vulnerable is the cause of a lot of breaches.