Data security in tomorrow’s organisations will be fundamentally different than data security today. If you believe that data security today is a challenge, you will be surprised what it will be tomorrow. As I have said many times over: every organisation will be hacked, and if you are not yet hacked, you are simply not important enough. That counts for today, where human hackers have to be selective who to attack. Tomorrow’s organisations, however, will not only have to deal with human hackers but will increasingly face machines autonomously hacking your organisation. Sounds scary? It should be, and you should take action today to remain safe tomorrow.
Autonomous Artificial Hackers
Artificial intelligence and machine learning offer great applications and tools for organisations and society. However, bad actors can also benefit from AI and machine learning and use that to attack your business. Fighting autonomous artificial hackers with human teams is nearly impossible. Hence, you would need to augment your security team with AI. As a result, we will see machine to machine fights operating at unbelievable speed and agility. If you don’t have your security in order, it will be an easy fight for those autonomous artificial hackers.
To make things worse, your customers will demand a seamless experience across different channels. All their interactions with your organisation will create data, and your customers demand zero friction in their interactions with your business. This is good for your customers, but a nightmare for your organisation, because every entry point to your organisation’s network – be it a connected device or your app – is a potential hazard. With customer touchpoints scaling exponentially, this can cause serious problems.
Then, how should you protect the organisation of tomorrow? How can you ensure that your company and customer data is secure, private and protected? How can you prevent hackers from hacking you and if they do manage to break in, prevent valuable information to end-up in the wrong hands? I believe there are four ways to ensure data security in tomorrow’s organisation. Let’s dive into them:
1. Take Security Analytics seriously
Protecting your organisations from (would-be) hackers is difficult, especially if they are machines. Therefore, you should turn to extreme automation when it comes to data security. This is where security analytics comes into play.
Security analytics can help you understand what is happening within your company. It allows you to fight the machines with machines and can help you act when you need it most. Security analytics can help you handle the complex data landscape, especially for organisations that have large data centres, thousands of employees that use their own devices, and employees and customers that use vulnerable connected devices. With security analytics, you can gain the data and insights required to protect your IT resources.
Security analytics can identify the red flags that often precede a breach or attack. You can find devices or hardware that are communicating with unauthorised systems or networks and lock them down before someone can use that device to get into your infrastructure.
With security analytics in place, you will have the possibility of derailing zero-day attacks (software bugs discovered by hackers that are unknown to the developer) before they cripple your organisation or cause a costly data breach.
Of course, machine learning plays an important role in automating, at least parts of, this process. It will prevent your IT security staff from becoming overwhelmed by the sheer volume of information that they need to look at. As your organisation fends off attacks related to your hardware and connected devices and discovers more markers for potential vulnerabilities, security analytics can handle autonomously lower priority issues. Your IT security analysts can then focus their attention on complex exploits and other concerns that require a hands-on approach. Security analytics is becoming a prerequisite for the organisation of tomorrow.
2. Hire a Chief Data Security Officer, Today.
Unless board members regularly discuss data security, your organisation does not take it serious enough. Therefore, every large organisation should hire a C-level executive dedicated to data security. The Chief Security Officer (CSO) is not only responsible for your security analytics but has the responsibility for anything data related. The CSO should be an important role within the board and should look at combatting persistent threats and mitigating exposure of the company’s IT systems to (large) cyber-attacks.
The CSO should create a secure environment that is capable of dealing with large quantities of data. Security analytics involve terabytes or petabytes of data due to log information from monitoring your network, database information, identify information, and all kinds of other system data that need to be analysed in real-time to know what is going on.
Within a true security analytics environment, an organisation should be able to combine security intelligence with business transactional data as well as unstructured company data such as emails to obtain a complete picture of what is going on. This will allow you to find all kinds of unique patterns and anomalies that actually might be, for example, a very slow-moving attack that in the end, could do much harm.
Fortunately, the Chief Security Officer is on the rise, with almost 2/3 of large companies having hired a CSO. Although, it could also be window dressing as an earlier ISACA report showed. Nevertheless, the Chief Security Officer will play a vital role in the organisation of tomorrow. The job description should focus on prevention, detection and response of data breaches, which requires the involvement of all departments.
3. Prepare for the Quantum Computing Era
If you believe the Y2K bug 20 years ago was expensive to fix – it cost $100 billion to fix – think about the costs of replacing all existing encryption in all organisations around the globe. When quantum computing enters our world in the next ten years, all existing passwords and encryption will be up for grabs.
A quantum computer can decrypt any data that is encrypted with today’s encryption methods. This is a serious threat and, unfortunately, almost no organisations or government takes it seriously. Upgrading all our existing encryption to quantum-resistant encryption can easily run in the trillions of dollars. This does not take into account the damage done to organisations or societies when competitors or foreign countries will get unlimited access to your data.
Sure, cryptography researchers are working hard to develop quantum-resistant encryption. The National Institute of Standards and Technology (NIST) started a competition for post-quantum encryption methods in 2017. In January 2019, they shortlisted 26 potential encryption tools, which NIST believes are the strongest candidates to become the standard for protecting data today and tomorrow. Help is coming, but organisations should start thinking today how they can move to post-quantum encryption within their business. The longer you wait, the more expensive fixing your infrastructure will become.
4. Change Your Mindset
For most organisations, data security is still not their top priority. There are too many examples of organisations not taking data security seriously. Passwords are still stored unencrypted; sensitive files are still sent unencrypted; AWS servers are still misconfigured and sensitive data is still stored on public servers. As a result, in the first six months of 2019, over 4 billion data records containing sensitive information were exposed. Clearly, a lot of work is to be done.
It is vital, therefore, that organisations need a change of mindset. They need to start to see data security as an utmost priority. You can develop a brilliant product or have the best customer service. However, if you don’t take care of data security, it can all be in vain. One hack can ruin your organisation as the Dutch company DigiNotar showed. In 2011, the commercial certificate authority went bankrupt after it was hacked.
Not only top management need to understand the importance of data security, but every employee should be aware of it. With organisations increasingly linked to each other, one data breach can quickly become a very expensive event. Therefore, your company culture should incorporate the notion of data security. This should always include securely verifying the digital identity of staff and customers when interacting with your organisation. The data breaches of Marriott, Equifax or Capital One show that data security needs to move from your IT department to all other departments and your boardroom. Changing your mindset, therefore, involves educating your staff on the need and importance of data security.
Final Thoughts on Data Security
We already live in a zero-trust world, and this will only get worse in the coming years. Who can you trust when interacting with your organisation becomes increasingly difficult, whether these are humans or machines. We need to update our systems of trust, and we need to start doing so today.
In the years to come, data will only increase in importance and as such in value. With that will come increased attention by hackers to steal data or hack your products, services, or servers. Increasingly, machines instead of humans will hack your organisation, making it more difficult to prevent, detect and respond to. More than ever, data security is vital if we wish to benefit from data, and the organisation of tomorrow can only be successful if data security is a top priority.