Data security is becoming a necessity as more organisations around the world continue to implement their digital transformation strategies. How and the rate that companies around the world are transforming may differ, but the threats they face are constant, global in nature and potentially devastating.
As the threats to sensitive data are escalating and regulations are pressuring organisations to tighten up their security, it becomes apparent that more thought has to be put into how companies can find the perfect balance between securing data while not being too restrictive for their own users.
This week, IBM hosted a security meetup attended by Malaysian companies from various verticals and industries to discuss how exactly they can find this balance amidst an increasingly challenging cybersecurity landscape.
Kicking off the meetup was Andrew Martin, AOPG Group Publisher, who in his welcoming presentation highlighted some of the most high-profile data breaches that have occurred over the past year, affecting huge global and regional organisations like British Airways (380,000 customer credit card data stolen), T-Mobile (2 million customer passwords and personal data compromised), Careem (affecting 14 million customers), Timehop (21 million customers), Chegg (40 million customers) and Aadhaar (where private information belonging over 1 billion Indian citizens were leaked).
He pointed out two defining characteristics of these attacks; Firstly, disruption is no longer the sole objective of cybercriminals. They are now more strategic and patient in playing the long game. They employ various techniques in order to stay undetected for as long as possible to scour enterprise networks and reach the organisation’s “crown jewels”, which brought him to his second point. Data is becoming the most valuable business asset and in most cases of data leaks and breaches, it is the database that stores the organisation’s sensitive data that has the most value and is targeted by hackers.
Commenting on the overarching theme of the meetup, which was, “Discovering, Classifying and Securing Sensitive Data in a World Where Data Accessibility is the Norm”, Andrew Martin pointed out that keeping data both open and protected may sound like an oxymoron, but it is a necessary challenge for many companies today and “it is a challenge that is only going to get harder”.
Data classification, he said, is key to solving the conundrum. “In every aspect that you manage data, as data grows, classification becomes more important because the only way you can manage enormous amounts of data is if you are able to classify it and work out what you’ve got.”
Malaysia Is Not Spared From The Data Breach Epidemic
This notion was echoed by Puan Sabariah Ahmad, CyberSecurity Malaysia’s Head of Information Security Management and Assurance, who said that before any organisation is able to protect its data effectively, first it has to understand its data. Organisations have to do some self-reflection in the form of security-focused risk assessments to identify their critical information assets as well as potential threats and risks to critical functions in related systems. This, she said, will allow decisionmakers to “manage and mitigate the risks before they occur”.
She stressed that preparedness is a critical factor to a successful response to a data breach and organisations must not be complacent when it comes to cybersecurity. She added, “ No one is spared from cyber attack. Even though you think your company is small, insignificant or unimportant, you still can be a target”.
From a Malaysian perspective, Puan Sabariah shared statistics from the Malaysia Computer Emergency Response Team (MyCERT), which showed that cybersecurity incidents are definitely on a steady rise. From 2016 to 2018, the number of (reported) incidents grew from 8,344 to 10,699, with cases of fraud, intrusion and malicious codes topping the list.
She also mentioned that Malaysia has not been spared from the data-breach epidemic, as she highlighted some of the biggest data leaks that have occurred on the local front, such as the mobile data breach which affected 46.2 million local mobile number subscribers or the personal data leak of 60,000 Astro IPTV customers. To make matters worse, cybercriminals were brazen enough to attempt to sell some of the stolen data on public online forums such as Lowyat.net.
In order to prevent such incidents from occurring, organisations have to develop an information security strategy and ensure that information risk is being adequately addressed. According to Puan Sabariah, that can be achieved through two means, defence-in-depth and effective information security governance.
A Smarter Way to Tackle Sensitive Data Security
These high-profile incidents that target databases point to a common problem that many companies today are facing. Oftentimes, databases use older technology that is now being fused very modern technology. They simply weren’t designed to protect against advanced attacks coming from the growing number the access points that are connected them.
To solve this problem, organisations need a smarter way to tackle data security and defend against cyber attacks, as highlighted by Wing Hong Chan, IBM’s APAC Segment Leader - Data Security. Wing said the issue of sensitive data security is complex because while exfiltration or theft in the physical world is all too apparent, in the cyber world, “stolen” data is typically replicated elsewhere. The original copy of the data is still there.
That makes it easier for hackers to cover their tracks and more difficult for organisations to detect when their defences have been breached. What’s worrying is that according to Wing, the average time taken for companies to identify a data breach is 161 days. But based on his observation, the duration can be much longer. Moreover, data does not necessarily have to be exfiltrated before an incident can be considered a security incident. Cybersecurity incidents also include unauthorised access, queries or modifications made to a database.
In order to successfully protect sensitive data, Wing suggests that companies go through the following best practice journey:
Identify Your Risks
Discover and classify sensitive data
Assess database, big data vulnerabilities
Visualise data-related business risk
Harden Your Data Repositories
Encrypt and mask sensitive data
Archive/purge dormant data
Revoke dormant entitlements
Monitor Access to Your Data
Monitor and alert on attacks in real-time
Identify suspicious activity
Produce detailed compliance reports
Optimise data retention over extended time periods, meet compliance mandates
Enrich data, apply big data analytics to find new insights
Protect Your Data
Prevent unauthorised access
Take real-time action
Expose data-related business risk to C-level execs and board of directors
The fact is, businesses today are moving faster than ever due to digital transformation, cloud migration and regulatory acceleration. In order to cope with the sprawling data environments, disparate systems and databases, realistically, they have to depend on tools that can automate and simplify all the above steps efficiently. Otherwise, executing the whole process can become overwhelming, flawed and error-prone.
That’s the area where tech companies like IBM can offer their experience and expertise. Over the years, IBM has been working on enhancing its Guardium technology to help companies safeguard critical data. Andrew Lim, Client Technical Specialist, Guardium, IBM Asia Pacific, was on hand to demonstrate how users are able to quickly and easily discover sensitive data (be it structured or unstructured data, on-premises or on cloud), protect critical data against unauthorised access and comply with government regulations and industry standards.
Built to provide better control, security and visibility for data at rest and data in motion, Andrew Lim likens a tamper-proof appliance like IBM Guardium to having a video recorder to a system to constantly monitor what’s happening. What makes the platform truly powerful is that it can secure data access in three ways, or as Lim put it, with three engines, namely through real-time monitoring, IBM Melody’s machine learning capabilities for automatic outlier detection and the anomaly detection engine that analyses historical events. It also comes with the capability to automate compliance controls to help companies adhere to data regulations like the GDPR, SOX, PCI, HIPAA and others.
While having the best security technologies certainly helps, both Wing and Lim agreed that organisations make sure they have the basics covered when it comes to securing sensitive data. That is because in many data breach or leak cases, organisations did take steps to secure their parameters, but left their databases located behind their defences wide open. They failed to adhere to basic security hygiene such as keeping systems patched, proper handling of errors or even the simple act of encrypting cloud data and keeping the encryption keys safe.
Having a security tool like IBM Guardium to fall back on provides that crucial last line of defence against cyber attacks.
By the end of the meetup, based on some of the conversations we had with attendees, they were definitely pleased with the chance to connect with their peers as well as the knowledge shared by the data and security experts from CyberSecurity Malaysia, IBM and Cybersecurity Asean.