Data: The once coveted resource that has become tricky to extract value from
Traditionally, oil has been the metaphor of choice when discussing the value of data. Like oil, data has been considered a coveted resource that governs the modern world. This is why organizations around the globe preserve vast stores of data even when it has no immediate value. Companies hold onto the asset with the belief that they will call upon it at some point in the future.
But alas, this comparison has become a poor fit in recent times. Data has become risky, expensive to store, hard to extract value from, and a desirable target for adversaries. More businesses are now realizing that data banks bear more in common with the valuable, although hard to extract value from, and dangerous, uranium.
Data can be an essential resource that drives innovation and generates business opportunities. However, mismanagement of this asset can have severe consequences, which are becoming more visible. So, how should we be thinking about data storage and management to mitigate this issue?
Involvement of federal authorities in data protection
The growing number of data breaches involving sensitive information, such as financial or medical information, that are occurring worldwide has forced this issue onto the mainstage. In response, federal and state governments are putting guidelines in place to ensure accountability exists when handling data.
For instance, the Australian government has decided to hold companies responsible for replacing personal identity documents, which changed the economics of data storage for many organizations. Every data record, such as license, passport, and credit card number, now has a clear 'cost if breached'. For most businesses, this simple move has turned their cost-benefit analysis for storing data upside down.
With the ever-evolving threat landscape, the best project any organization can take on is to back-burn their data and eliminate or reduce the amount of sensitive information they store. Organizations need to be critical about what data they intentionally store and how the data can be protected. It is also imperative to remember that organizations must pay for a breached passport number, regardless of whether it is taken from a lost USB or a high-security system. Such data must be protected everywhere, all the time.
Global solution to data exfiltration
The increased cost-of-storage arising from security controls is the same dynamic created by the payment card industry data security standard (PCI DSS), released in 2004, which established clear requirements for companies to meet in order to accept, store, process, or transmit credit card information.
The cost of meeting those requirements meant that it was no longer economically viable for many businesses to store credit card data themselves. Hence, most enterprises opted out of the credit card data storage system and outsourced the job to specialists.
Top credit card brands, such as Visa, American Express, MasterCard, JCB, and Discover, consistently support the PCI DSS, which is what makes it successful. The initiative provides clarity, which can also be one of the reasons for its success. This means there is a minimal opportunity to ‘risk assess’ away a mandatory control. Considering the success of this initiative, it is easy to see that there is a need for a similar initiative to protect all sensitive personal data held by businesses.
There is a need for a small number of third-party service providers, which can be given the task of holding, managing, and protecting data using secure processes. This will help businesses abstain from storing sensitive data using a secure third-party Personal Identifiable Information (PII) data storage service. Companies can reap cost benefits by protecting data effectively with the help of rigorous audits and assurance regimes that provide checks and balances.
It's time to start thinking about your data stores like uranium
Enterprises have been told about how data, the new oil, is valuable and that customer-centric companies depend on this oil to gain competitive leverage. However, this is not the case anymore. The cost-benefit of preserving data has changed over time, and businesses must think about storing data differently. This is why data should be thought of as uranium, important for advancement but risky to hold on to. A collaboration between the industry and the federal government is imperative to design and implement a PCI DSS-like security standard that can be applied to all sensitive data.
Additionally, to effectively manage and store data, keep it secure, and prevent it from getting exploited, the government needs to work with industry to enforce a baseline for businesses. This can mark the emergence of a marketplace of government-endorsed or certified providers that can deliver secure services to store sensitive data and give intermediate access.
Thinking of data as uranium -- a risky asset to store -- requires a change in mindset. Businesses need to consider that despite placing great value on this asset, they should only gather data that they genuinely need. If they do not need the customer data, the rational answer would be to get rid of it safely. As businesses have to focus on other operational duties, storing data and protecting it should not be another task they have to deal with. Finding a balance between data that is required and data that is useful is the key to managing an organization’s data storage needs.
Nick Ellsmore is Senior Vice President, Worldwide Consulting and Professional Services at Trustwave.