It’s a new reality we find ourselves in: “You can’t protect everything anymore.” That was the central message delivered by InteliSecure CEO Robert Eggebrecht in his presentation, “Preventing the Inevitable: Safeguarding Critical Assets in the Age of the Mega Breach,” at the IAPP Global Privacy Summit in Washington, DC, last week.
Eggebrecht emphasized the need to “shift the paradigm” of data security and privacy away from simply utilizing the latest in technological safeguards. “We continuously buy into the IT trap that information-security technology is going to save us from breaches,” he said. Even though technical safeguards are extremely useful in protecting data, using them alone without comprehensive protection plans will never be enough to guard data. Sixty-four percent of data losses can be attributed to well-meaning employees and 50 percent of employees have proprietary data after leaving an organization, he noted. These types of breaches cannot be stopped by simply adding layers of security. In order to prevent these problems, organizations need to have monitoring systems in place that track employee activity.
Despite that fact, after the major data breaches of the past few years, organizations continue to pour money into the latest in cutting-edge security technology rather than developing monitoring programs involving human oversight of data activity.
Eggebrecht differentiated between user data and machine data to explain why human oversight is so important to data privacy and security. Machine data consists only of basic information about when and where data has been accessed and can be collected in huge, disheartening amounts. These huge data sets can be rendered useless and “become background noise” without humans to assess and analyze user data and activity, he said. Machine data about downloading files may seem innocuous by itself, for example, but can become important to identifying a breach when examined in tandem with employee records and activity.
“Everyone needs to make a border, but you have to wrap human beings around that border,” said Eggebrecht.
To shift the paradigm away from relying purely on the newest technology, we must also change the way we talk about data security and privacy. Instead of talking about how each technology adds to the level of security and privacy, Eggebrecht focuses on “Content, Community and Channel.”
The first thing an organization needs to decide is what really needs to be protected. Traditionally, IT security departments focus on customer data such as credit cards, but that is not necessarily what a company needs or executives really want to protect. Eggebrecht prioritizes protection based on what data is the most lucrative for the company. Data that is integral to a company’s profits, such as intellectual property like patents or trade secrets, will be much more damaging than customer data if lost. Once the content that is most important to a company is identified, a protection plan can be developed around it. By looking at who in the organization’s community actually needs access to the content, one can shrink the scope of who needs to be monitored to protect the data. By looking at how this content has to be communicated between individuals within the community, one can limit the scope of communication channels that have to be monitored. These focuses create a realistic scope of data security and privacy rather than adding countless and oftentimes needless layers of technological safeguards, he said.
Speaking in these terms also can invite the executives of an organization into the data security and privacy conversation in a meaningful way. There is only so much technological understanding and interest at the executive level. By talking about the latest in technology as the be-all, end-all of data security and privacy, executives are left uninterested and unengaged. Changing the conversation to where and how the critical data assets are created, stored, used and transmitted brings executives back into the conversation and can keep their attention.
Eggebrecht insisted, “The new role of privacy and security is to prioritize data.”
Today, organizations have so much data that by trying to create massive technological borders around all of it, an organization can fail to effectively use the technology to protect the most critical assets. Data privacy and security is vital to the development of new technologies and business operations and therefore should be keyed to protect them. The increasing need for data protection and monitoring cannot be filled by technology alone. Taking a serious look at what content really needs protection, moving the conversation away from technology and investing in employees rather than the newest security technology is the most effective way to prevent the breach that damages your organization.
If you want to comment on this post, you need to login.