In today's digital age, organizations are using data in innovative ways to understand their businesses and generate new value, making data the lifeblood of every operation. As a result, data is growing at an unprecedented rate across on-premises, SaaS, and multi-cloud environments.
However, this rapid growth presents significant challenges for organizations, as they often struggle to identify sensitive or regulated data, where it’s located, and who has access to it. According to the latest Rubrik Zero Labs report, 98% of organizations report significant data visibility challenges and 66% of IT and security leaders feel that data growth is outpacing their ability to secure it and mitigate risk.
Cyberattackers are exploiting this by targeting the expanding data attack surface to encrypt, destroy, or steal valuable information. And once they steal it, adversaries are more likely than ever to use extortion techniques on their victims. If that isn’t bleak enough, regulatory fines for losing sensitive data are only increasing, with GDPR violations up to 20 million euros or 4% of company revenue and HIPAA violations up to $50,000 USD per violation as two examples. We’ve even seen attackers report their victims to the SEC to constantly ratchet up the pressure. CISOs are under serious pressure to protect sensitive data and reduce risk to the business as boards across all industries take note and expect visibility and action.
So data growth is out of control, organizations don’t have visibility into what they’re protecting, and the stakes are only getting higher. Just another day in the cyber security neighborhood, right?
In the face of all this, it’s easy to get caught up in the security game of whack-a-mole to try to chase every threat and prevent it. Infrastructure security is bolted on to try and stop data theft as it happens, with limited success. While these security solutions are absolutely necessary to prevent as many known and unknown threats as possible, they are focused on protecting assets – hardware, networks, applications. To secure data we need to understand it. When was the last time your DLP told you how much of your data is sensitive, where that sensitive data is, who has access to it, and what they’re doing with it? Remember, over 80% of cyberattacks exploit legitimate access credentials to remain undetected, rendering many conventional security measures ineffective as hackers no longer have to break in, they simply log in.
Ultimately, it’s just a numbers game. It’s a common refrain that organizations need to get it right all of the time and attackers only need to get it right once. Let’s accept that at some point you’re going to face a breach. The next thought is usually “how do I recover quickly and safely and ensure business continuity?”, which is something Rubrik knows a lot about. But before we even get there we should ask ourselves – what could I have done to minimize the damage up front? In other words, how can we proactively improve our data security posture to minimize our data exposure and exfiltration risk?
When we expand our thinking from preventing all threats to keeping our regulated data safe, it opens the door to other possibilities. What if you could reduce your overall data exposure and data risk? Great, how do you do that? You can identify high value targets (sensitive and regulated data) and reduce the amount of such data exposed on your systems. How much of your company’s regulated data exists in production systems that have no use anymore and no one ever touches? The result of completed projects, customers who haven’t engaged with the company for decades, historical financial data, expired contracts, former employee records, the list goes on and on. So first, organizations need to identify unused and no-longer relevant data and proactively retire it, reducing your data attack surface significantly.
Reducing the amount of people who have access to that data is another effective security measure. Every user represents a risk to data simply because they have access to it and can be compromised. So secondly, you can reduce the amount of sensitive data your users have access to by implementing least privileged access, a well known and effective concept, to cut down more risk to your data. Not only is there less of a chance of an attacker finding and compromising a user with access to sensitive data, if users only have access to information they need to do their jobs, you’re minimizing the blast radius of any successful data attack.
And third and finally, we all know data is dynamic. It’s constantly changing locations. It’s duplicated. Who has access to it and whether they should have access to it is constantly changing. Maximizing your data security posture means being able to constantly monitor these changes for anomalous activity to identify if there are threats to that data. Did someone who shouldn’t have access to a particular set of data gain access to it? What other data does that person have access to? How has their access changed over time and what did they effectively access over time? All of this data context helps triangulate on whether a change leads to unexpected risk, is a true threat or not, and whether immediate remediation action should be taken.
All of this underscores the crucial importance of managing data security posture from the data‘s perspective. Effective data security posture involves discovering and classifying sensitive data to fully understand an organization's risk exposure and then proactively eliminating unnecessary data and restricting access to sensitive information to only those who require it. Implementing a robust data security posture not only reduces the risk of a wide spread breach but also limits the potential damage from successful attacks. If an adversary cannot get to the data, they cannot take it or destroy it. As the landscape of cyber threats evolves, prioritizing data security posture becomes essential for organizations aiming to protect their most valuable asset: their data.
While many organizations have started to implement or investigate how they can improve their data security posture, we believe that cyber posture is one piece of a larger cyber security strategy – that of cyber resilience: accepting that breaches will occur and ensuring that your data and therefore your business is resilient enough to sustain breaches and continue forward. Cyber resilience begins with cyber posture and must also include cyber recovery – the ability to bounce back quickly and safely. Bringing cyber posture and cyber recovery together will create a cyber resilient future where organizations can take on any threat and emerge stronger than ever.