When we secure an asset, we usually know where it is and have a series of controls to protect it. For a house or office building, it is the address and we secure it with locks and perhaps a security service. For a car, we have the VIN and maybe a tracking device if the car is valuable as well as keys and alarms to control access. By and large, we have ingrained in our psyches how to protect physical assets.
But what about protecting information assets?
Right now… where is all the critical information for your home like insurance policies, warranties, etc.? Probably in a safety deposit box or with a trusted resource like your attorney or bank. However, can you immediately say where all your proprietary and confidential company data is, the lifeblood of your company, in today’s global commercial marketplace? In the data center? Which one? Much of your company’s data may be in a traditional data center, but what goes in and out and who has access is far less certain as Target learned from its HVAC vendor whose compromised account led to access to the Target network.
What about the data in “the cloud”? How did it get there? Was the trip secure? Was any of the data, your customer records or financial information, altered while in transit? How do you know? Assuming that all the data in the data center(s) and all the data in the cloud(s) are secure, how does an organization secure data on employee-owned devices? Historically, it was expensive and logistically difficult for an employee to hold much information. The ancient 1.44 megabyte “floppy drive” is all but extinct and its replacements are far more capable.
In 2014, hackers stole more than 25 gigabytes of sensitive data from Sony Pictures. 25 gigabytes would have required dozens of “floppy drives” and hours to move the data. BestBuy.com sells 2 terabyte USB portable hard drives for less than $100 that connect directly to a computer for fast transfer, probably less than a minute for 25 gigabytes. 2 terabytes is roughly equal to 2000 gigabytes… or enough storage to handle nearly 1000 times the sensitive data that ousted the Sony Pictures CEO.
To secure today’s critical business asset – data — companies need to implement security frameworks that account for today’s dynamic and global commercial environment. There is simply no technology fix for the “where” of data security. While it is important and useful that companies employ technologies to monitor critical data they must also put in place and exercise appropriate processes for Governance, Risk Management, and Compliance to account for ongoing changes to that critical data.
The takeaway message:
Threats to your data and vulnerabilities in your technology/organization are constantly changing. Data that can cripple your business moves at light speed and can be stored for a few dollars. Managing the “where” of your company data requires far more than the data center address. Today’s global, information-based economy calls for strong policies, procedures and processes in the areas of Governance, Risk Management, and Compliance.