[ WHITE PAPER ]

WHY DATA-CENTRIC SECURITY MATTERSCYBERCRIME AND DATA BREACHES ARE ON THE RISEDATA SECURITY IS NO LONGER JUST AN IT ISSUE, BUT A SIGNIFICANT BUSINESS-WIDE CONCERN THAT HAS MADE ITS WAY TO THE BOARDROOM AND C-SUITE ALIKE. WannaCry ransomware locks up 200,000 computers in 150 countries! United Airlines flight attendant accidentally posts cockpit codes online! Most citizens don’t trust their government to keep personal information safe! These headlines are not just hype – it’s a dangerous world for data.

The 2016 cybersecurity report from Markets and Markets, ‘Cyber Security Market – Global Forecast to 2021’, estimates cybercrime will cost approximately A$7.5 trillion by 2021, and that the worldwide cybersecurity industry will be worth about A$251 billion. Risk Based Security's '2016 Year End Data Breach QuickView Report’

estimated that in 2016, 4,149 total breaches were reported, exposing more than 4.2 billion records, while IBM's 2016 'Cost of Data Breach Study: Global Analysis' estimates that the average global cost per lost or stolen record is A$205. Data breaches are becoming more complex and costly, as cybercrime becomes more rampant.

It’s not just about protection from external hackers and cybercriminals – organisations need to look inside their operations as well. According to the aforementioned IBM report, 27% of all data breach incidents were internal, involving a negligent employee or contractor. While many data breaches are caused by malicious external players, they often occur through the actions of internal stakeholders, such as disgruntled employees, or through an accidental leak.

COVATA.COM

OPTIONS FOR ADDRESSING THE RISKONE OF THE FUNDAMENTAL CHALLENGES OF CYBERSECURITY IS DEALING WITH THE SPEED OF CHANGE. While Cloud, Big Data and IoT create new capabilities and possibilities, they also create new security vulnerabilities that can be exploited. To truly protect what matters to you most, a combination of several types of security is needed. These are not mutually exclusive security options.

1. NETWORK SECURITY: The most commonly known, refers to routers, firewalls and intrusion detection systems implemented to tightly control or monitor access to networks from outside sources. It’s the idea that you lock your doors and deadbolt your windows to keep unwanted strangers out.

2. SYSTEM SECURITY: Protection of servers and other infrastructure technologies against hacking, misuse and unauthorised changes. Examples of system security include anti-virus systems and patch management. At this level, you’re protecting the platforms that contain sensitive data, but you’re not protecting the data itself. Your IT administrator manages this, so you’ll need to trust them, because they can gain access to any of your sensitive data at any time. It’s a scary thought.

3. ENDPOINT SECURITY: Refers to a methodology of protecting laptops or other wireless and mobile

devices, primarily from the threats of malware. Each device with a remote connection to the network creates a potential entry point for security threats. This type of security ensures devices connected to your network comply with your security policies.

4. APPLICATION SECURITY: The effort to eliminate vulnerabilities in applications from external threats, so you design, develop and deploy only trustworthy applications within your organisation. Controls in this category include Secure Software Development Lifecycle processes and static code analysis tools.

5. DATA-CENTRIC SECURITY: Focuses on protecting the actual data, wherever it is and however it travels - so it’s secure at rest, in transit, and in use. Data-centric strategies focus on the ability to know what data is stored where (including sensitive information) encrypting relevant data, and defining access policies that will determine if certain data is accessible, editable, or blocked entirely from specific users, or locations.

REGULATORY PRESSURE IS MOUNTING Pressure is mounting as compliance regulations require data to be protected. Security issues are now mapped to board level risks and are at the heart of everything governments do. Tough legislation is already in place, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Sarbanes-Oxley Act of 2002 (SOX) in the US, and Payment Card Industry Data Security Standard (PCI) globally – and even more regulatory requirements are emerging.

With GDPR coming into effect in the EU on 25 May 2018, organisations failing to comply will face fines of up to 20 million Euros, or four per cent of global turnover, whichever is higher. In Australia, data breach notification will become mandatory from February 2018. Reasonable steps must be taken to assess breaches within 30 days, and inform affected individuals and the Privacy Commissioner of eligible breaches. It’s not that far away. Most organisations have no idea how they will handle this imminent requirement – does yours?

NETWORK

SYSTEM

ENDPOINT

APPLICATION

DATA

[ WHITE PAPER ] WHY DATA-CENTRIC SECURITY MATTERS2

TWENTY YEARS AGO, PERIMETER SECURITY WAS CONSIDERED SUFFICIENT. IT WAS THE CONCEPT THAT IF YOU BUILD A MOAT AROUND THE CASTLE AND PULL UP THE DRAWBRIDGE, THEN WHAT IS INSIDE MUST AUTOMATICALLY BE SECURE. We know that in this modern world, that is not the case. You need to apply layered protection and encryption to what is inside your organisation, what’s behind your firewalls, and what’s within your files and folders.

How does this work in a practical sense? You can lock down data from access, but your company still needs to function. How do you enable daily business collaboration internally and externally while keeping your data secure from unauthorised access and inadvertent disclosure?

COVATA.COM 3

TREAT DATA AS AN ENDPOINT TO PROTECT ASSETS THAT MATTERTraditional cyber security methodologies that address security from a network and device-centric perspective are losing effectiveness. However, treating data as an endpoint sees security measures following the data, regardless of where it’s located or accessed – on a mobile device, on a server, or in the cloud.

Sensitive data (not all data) needs to be protected from internal and external threats, as it is the breach of this sensitive data that can expose a company, its directors, partners, shareholders and customers to a range of risks and liabilities. By protecting, controlling and monitoring both the access and use of sensitive data, you refocus security on the assets that really matter – valuable company information.

[ WHITE PAPER ] WHY DATA-CENTRIC SECURITY MATTERS4

BREACHES POSE SUBSTANTIAL IMPACT TO AN ORGANISATIONRegardless of the type of breach, whether it's external or internal, access to confidential company or private customer data can have major impacts. There are significant commercial drivers to addressing data security, and substantial risks if organisations choose not to protect themselves.

DAMAGE TO BRAND REPUTATION Brand reputation is built over years, but can be destroyed overnight. A data breach is a public relations and financial disaster that results in massive fees from crisis management and PR firms. Companies often spot the intrusion too late, and respond inadequately, resulting in falling sales and an unwanted media spotlight session. Not all publicity is good publicity. DISRUPTION OF BUSINESS OPERATIONS Once breached, an organisation must act, investigating the source and depth of the breach, managing public relations and compliance, and reviewing systems to ensure the attack can't be easily repeated. To do this properly can take enormous amounts of time and money. For medium to large organisations this can easily amount to millions of dollars, and also creates massive disruption to business operations while it’s all being dealt with.

LOSS OF REVENUE AND BUSINESS OPPORTUNITIES Reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of business. Disruption to business operations can affect a company’s ability in the short-term to manage incoming business opportunities.

THREAT OF LEGAL ACTION, FINES OR PENALTIES Breaches cost money – not just because business is disrupted and revenue opportunities are lost, but on top of that there can be legal action taken, and fines or penalties imposed. In some instances, these costs are so large that a business may not be able to continue.

“HIDDEN” COSTS CAN AMOUNT TO 90 PERCENT OF THE TOTAL BUSINESS IMPACT ON AN ORGANISATION, AND WILL MOST LIKELY BE EXPERIENCED TWO YEARS OR MORE AFTER THE EVENT. This is among the findings of a recent study by Deloitte Advisory entitled, “Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts."

COVATA.COM 5

THE FIVE THINGS YOU NEED TO KNOW ABOUT DATA SECURITYACCORDING TO TELSTRA, THERE ARE FIVE KEY THINGS YOU NEED TO KNOW ABOUT WHEN IT COMES TO THE SECURITY OF YOUR DATA.

KNOW THE VALUE OF YOUR DATA BECAUSE NOT ALL DATA IS CREATED EQUAL

There are two important things you need to know about your data; its value, and where it resides. You need to understand what value your data has not just for your organisation and your customers, but also the value for someone that may want to steal it, because all data has some value to someone. When Sony was the victim of a breach, the information most damaging to them was executive correspondence, not the loss of media properties. It is important not to forget that much of the most sensitive information is contained in unstructured data sources such as files, documents, emails, etc.

If you understand your data and the value of it then you can decide what you need to protect. Because not all data is created equal, it’s not all sensitive and private, and it doesn’t all need to be strongly secured.

KNOW WHO HAS ACCESS TO YOUR DATA

You need to know who has access to your data both within an organisation and externally. For example, is it just one person, a team of people, or is there someone with IT administration rights

within your business who can access it all? Are you comfortable with this? Can you centrally assign and monitor access rights and permission to those you want to share your data with, but keep out those who you don’t? Even IT shouldn’t have access to HR data. Your salary is on that list too!

KNOW WHERE YOUR DATA IS

You need to know where your data (both sensitive and non-sensitive) is stored, both from an internal and an external perspective. From an internal perspective, you may not realise how much sensitive information is already in your systems such as SharePoint, emails and networks.

You need to know where credit cards numbers, personally identifiable information (PII) and other pertinent details are in your systems, so you know what you need to protect and where that data is. There are discovery tools available to help you find where your sensitive information is located.

From an external perspective, is your data with a service provider? Have they provided your data to other third-parties? Where is the data? Locally, or off-shore? Is it in the cloud? And is it protected?

1.

2.

3.

[ WHITE PAPER ] WHY DATA-CENTRIC SECURITY MATTERS6

KNOW WHO IS PROTECTING YOUR DATA

You need to know who is protecting your sensitive and valuable data. What operational security processes are in place? Where are they? Can you contact them if you need to? It is your responsibility to make sure proper policies and procedures are in place, because you are responsible for protecting your data. If something goes wrong, the buck stops with you. Make sure you educate staff and third-party vendors you are working with about the importance of data protection.

KNOW HOW WELL YOUR DATA IS BEING PROTECTED

What are you doing to protect your data? Is your data adequately protected by your employees, business, partners and third-party vendors that have access to it? Are you using multi-factor authentication? If your data is just behind a firewall, you’re not secure enough. To truly protect data both in transit and at rest, and be confident that you can send and receive data from any device, anywhere in the world, encrypting data is key. So is the proper storage and handling of encryption keys.

4. 5.

LET’S GET PRACTICAL – WHAT TO LOOK FOR IN A DATA-CENTRIC SECURITY SOLUTIONNot all solutions are created equal, and often, the difference lies in a user’s understanding. I get asked why can’t we just use Box, or Dropbox, and my answer is, you can. If what you want and need is a simple file sharing and storage solution that will contain data that has no value at all to you, or that is in the public domain anyway, then it’s a cheap and easy solution. Go for it! If it gets breached, no harm, no foul.

However, if you’re a business that deals with sensitive or regulated information, or, you’re a government department, then you need to have a solid grasp on the five things you need to know about data-centric security. It needs to be encrypted before it's stored, before it travels anywhere, and remain encrypted until it reaches an authorised and authenticated user – so the right information is accessed by the right people in the right places.

Here are five things we suggest looking at when considering the best option to protect your sensitive data:

■ Usability – how easy is it to use the software solution? Is it intuitive, are there user groups, online help, quick start guides, minimal training requirements?

■ Control – what sort of control can you apply within the system? Can you let some users just view a file, whereas others can download it? Can you set a timer on when people can view a file and when there is no longer access to it? Can you set controls to ensure the document cannot be sent to an email address outside your organisation if the content is for internal consumption only?

■ Auditability – can you get a history trail of what’s happened with the file? So you can see who has given who access and when and how the file was accessed? This is important if you need to report a security breach.

■ Mobility – can the solution be used on multiple devices, and not just limited to a computer or laptop? Sometimes you’re working on your tablet in a coffee shop, is the solution truly mobile so it goes wherever you go?

■ Affordability – organisations of all sizes face budget constraints. Being able to share information properly and store it safely does not have to be expensive. Consider cloud options which provide cheaper alternatives to installed and on-premises software.

COVATA.COM 7

SO … MY “FRIEND’S” ORGANISATION WAS BREACHEDEverything happens to our “friends” right? It never happens to us … until it does. Data breaches and cyberattacks are a part of the information age that we live in today. The rise of Big Data, Cloud Storage, Bring-Your-Own-Device – they all make our lives easier, but they also increase exposure to data breaches.

So build your castle, fill up your moat, add some crocodiles if you must, and place your anti-virus guards at the entrance – but keep the drawbridge down and only let in those who should have access when they need it – it’s more efficient and less damaging to your hands than pulling that chain up and down all day long. The reality is you have many more than one door to defend so the

only feasible solution is to defend the data.

The right data-centric security solution will allow you to do exactly this. Persistently encrypt your data, protect it in transit and at rest, protect it regardless of the device it starts on and the device it is viewed on, and control exactly who has access, when they have access and how they have access to your most valuable asset. Prevention is better and cheaper than cure.

Mike Fleck VP Security, Covata

COVATA.COM

ABOUT COVATACovata Limited is a global technology brand, listed on the ASX, that provides data-centric security solutions for enterprise, government and citizens. Our easy to use security platform will discover and identify your sensitive information and where it resides, protect and manage your risk by sharing and storing your sensitive data securely, and implement controls to restrict when and how users access your data. Then monitor and analyse user activity.

We ensure security is never an afterthought, protecting information at a data-level from the start, and at every point of its journey. Safe and efficient sharing of data across internal and external stakeholders, devices, networks and geographic regions is enabled and encouraged. You have total control, visibility and auditability of your sensitive information.

Contact us at info@covata.com

"PREVENTION IS BETTER AND CHEAPER THAN CURE."