As data becomes more valuable, how can businesses ensure it won’t be stolen?
Now that every company is rolling out a form of Generative AI tool, one of the predictions of the decade may be realised: data is the new currency.
In order to generate the emails, articles, and general admin that needs to be done, there needs to be a database to draw inspiration from.
As a result, Research and Markets estimate that the global market for Big Data was worth US$154.9 Billion in the year 2022, and is projected to reach a revised size of US$353.9 Billion by 2030, growing at a compound annual growth rate of 10.9% between 2022 and 2030.
In the face of this explosion, many have turned to cloud storage to hold the data they have efficiently. According to Prashant Ketkar, Head of Customer Experience Automation Transformation at Hexaware Technologies, this data explosion is a result of the launch of the iPhone and Amazon Web Services.
“Two core secular trends are driving this move to cloud,” said Ketkar. “The first is the introduction of the iPhone and around the same time, Amazon Web Services came out with their first offering around distributed storage.
“With the iPhone and Android devices, a simple example is the camera on my phone today is as good as a camera I could buy 10 years ago. So it’s no surprise that this data is getting created at the rate of knots every day.
“On top of that, we’ve seen massive advances in distributed computing on server-side technologies. With these virtualized technologies, businesses can scale to millions of servers, which now makes storing the data that is created cheap, secure, and available.”
What’s out there?
As we’ve seen, this explosion of data has led to it being one of the more valuable assets businesses can own.
But with this new value comes the threat that someone may take it away from them. Ransomware, for example, has been “around forever” according to Jamie Moles, Senior Technical Manager at ExtraHop, but the threat is evolving. “What’s changing is the business model of the threat actors behind ransomware.
“Ten years ago ransomware was a shotgun approach, sending out a virus to a lot of email addresses to try to get in. Just like marketing always says, a one per cent success rate for mail shots is good, ransomware operators were operating in a similar way.
“But they got wise and started using things like phishing to target their campaigns, which led to defences getting smarter as well.”
These defences, according to Tom Mercer Commercial Director of GAIN LINE, “incorporate advanced security features such as encryption, firewalls, and intrusion detection systems. These features help to secure data and prevent unauthorised access. However, hackers are also becoming more sophisticated, and new threats are constantly emerging.
“One of the ways storage solutions are under threat is through phishing attacks. These attacks involve cybercriminals sending emails that appear to be from a reputable source, such as a bank or a supplier, to trick users into giving away sensitive information. Another threat is ransomware, where hackers take control of a company’s data and demand payment to release it.”
Anders Reeves, CEO at CovertSwarm, added that once the hackers are in, it’s hard to get them out again.
“One of the mistakes that a lot of organisations make is thinking they’ve kicked out the hacker by shutting down the network where they’ve detected the threat.
“If you drop a glass on the kitchen floor, you’ll pick up the big bits first. But if you go hunting, you’ll find smaller shards scattered everywhere. That’s what an attacker looks to do. Like that broken glass, they will try and infiltrate as many places as possible.”
The Current Techniques
That threat of Ransomware is a particular conundrum for businesses at the moment, as they decide whether to pay these malevolent actors.
Such a conundrum means that businesses often have to choose the threats that they protect themselves against, as Chaudhuri says, “countering the threat posed by hackers has been a mixed bag.
“On the one hand, storage providers have implemented various security measures such as encryption, access controls, and intrusion detection systems to protect data. These solutions have certainly raised the bar for cybercriminals and made it more challenging for them to breach data defences.
“However, it is crucial to recognize that hackers are persistent and adaptive. They constantly evolve their techniques, exploit vulnerabilities, and leverage sophisticated tools and strategies to infiltrate storage systems. From advanced malware and phishing attacks to social engineering tactics, hackers employ many methods to bypass security measures and gain unauthorised access to sensitive data. The reality is that no storage solution can claim to be entirely impervious to cyber threats.
“Ultimately, the challenge lies in staying one step ahead of cybercriminals. It requires a combination of robust security measures, regular security assessments, employee training, and collaboration between businesses, storage providers, and security experts. By recognizing the evolving threat landscape and continuously enhancing data security practices, businesses can better protect their valuable information and minimise the risks posed by hackers.
“One of the significant threats facing storage solutions is the rise of ransomware attacks. Cybercriminals deploy ransomware to encrypt valuable data and demand a ransom in exchange for its release. These attacks can severely disrupt business operations, causing financial losses and reputational damage. Storage solutions must have robust security mechanisms in place to detect and mitigate ransomware threats, including real-time monitoring, behaviour-based detection, and backup and recovery strategies to minimise the impact of an attack.”
But as Mercer said, attackers are getting in and businesses are weighing up the idea of paying the ransom in the hopes that the hackers will leave.
That may seem a natural response, but Mole points out that reports from SOPHOS appear to show that if businesses pay hackers the cost may end up being double the ransom anyway.
In fact, according to Mole, the new tactic may be to focus on how to mitigate damage once the hackers are in, whilst also trying to keep them out.
“The reality is that CISOs have been coming to us for years saying that we recognise the fact that no matter how many defences businesses put up, they’re in an arms race against the bad guys, and if they’re sophisticated enough, they are going to get in.
“Ninety-nine per cent of breaches can be put down to users clicking a link. As a result, CISOs are taking a pragmatic view, recognising they are going to have an intrusion, despite all the technology.
“Security spending nowadays is split 75% on protecting the perimeter and only 25% on the inside, which businesses should rebalance because they’re putting all of this money on a porous perimeter.
“At the end of the day, there’s a limit to how much businesses can spend before they’re just wasting money.”
Coded Messages
Encryption is often dialled up as the only way to deal with cyber security threats, and that certainly seems to be the case, as encryption is at the heart of a lot of recommendations.
As you’ll see from Shaunak Amin, Co-founder and CEO at SwagMagic, and Ani Chaudhuri, CEO at Dasera, encryption is at the heart of the security recommendations.
“Businesses need to ensure they are selecting tools that are tough on hackers,” Amin. “Look for those with features such as bank-level encryption, secure links, targeted roles and permissions, strong password enforcement, and two-factor authorization. These encryption measures let customers safely upload and access sensitive information from different platforms.
“If directors need help deciding which to choose, they should check out which vendors list banks and financial services in their client rosters. As these organisations require a high level of data security, their vendor choice may also be the right choice for the business.”
“To protect themselves, businesses must adopt a proactive and multi-layered approach to data security to defend themselves from cyber threats,” said Chaudhuri. “It starts with implementing comprehensive data security and governance controls encompassing the entire data lifecycle.
“Advanced encryption methods play a critical role in safeguarding sensitive data. Encryption ensures that even if data is compromised, it remains unreadable and useless to unauthorised individuals. By employing robust encryption techniques, businesses can add protection to their valuable data assets.”
Despite its clear popularity, John Benkert, CEO of Cigent says that encryption isn’t the be-all and end-all for protecting data, adding: “Storage solutions have not been the weak link when it comes to data security. Strong encryption can be implemented at the storage layer to help defend against physical theft.”
“Although cracking the encryption is possible with enough time and resources, it simply is not cost-effective and is usually reserved for nation-states.
“The weak link is the access controls to the storage. Why break through a vault when they can simply get the combo? When we look at ransomware and data extortion root causes, the majority of incidents have occurred as the result of phishing or other tactics where credentials or systems with access to data are compromised.
“Storage alone cannot address the threat posed by hackers. We have to look at the whole technology stack and identify the weak links.”
When they do get in
Of course, when we talk about security, the conversation often turns to the consequences of a hack.
When it comes to data, the cost of a breach is not just monetary, as Christine Sabino, Legal Director at Hayes Connor explains. “The number one consequence of this is a data breach. A breach of data is not only a problem for GDPR law, it has a myriad of consequences for the business involved and the victims.
“For companies, there is the risk that they will be involved in a lawsuit, and may even incur a hefty fine from the ICO. On top of this, there is a lot of red tape surrounding how best to approach a breach of data; without a proper PR strategy in place, businesses can get it very wrong, and risk their reputation being damaged. In the long term, a data breach can lead to a loss of business, as clients may not trust that their data is safe.
“On top of this, victims may have to seek legal intervention to claim for any of these losses, which can be incredibly stressful. Then, you have the emotional turmoil that comes with this, both the initial loss of data and then the subsequent uncertainty surrounding where this data is and how it may be used against them can be long-lasting.”
“There are significant legal and regulatory ramifications associated with data breaches,” said Chaudhuri. “Depending on the jurisdiction and industry, businesses may face fines, penalties, and legal actions from affected individuals or regulatory bodies.
“Compliance with data protection regulations, such as GDPR or HIPAA, is a legal requirement and essential for maintaining trust and credibility in the eyes of customers and partners. Failure to protect sensitive data can result in severe legal consequences, further exacerbating the financial impact on the organisation.”
On top of regulatory scrutiny and litigious customers, Chaudhuri touched on the reputational consequences and the loss of trust between the customer and the business.
“Beyond the immediate financial losses, businesses face a myriad of long-term repercussions. One of the most significant impacts is damaging their reputation and losing customer trust.
“In today’s digital age, where data breaches frequently make headlines, customers have become more cautious and demanding when sharing their personal information. A breach can erode customers’ trust in a business, leading to customer churn, decreased revenue, and difficulties in acquiring new customers.”
Access Denied
As Chaudhuri points out, it’s often the secondary factors that come a lot closer to breaking a business that has fallen victim to cybercriminals.
Although the €20 million fine the EU can hand down to businesses may put a shiver down the spines of owners across the continent, what’s more likely to finish off a business is the reputational damage and customer churn as a result of a breach.
As a result, Bernard Montel Technical Director of Tenable says that businesses need to take a risk-based approach to cyber security, accepting that the baddies might get in, but mitigating damage at every turn.
“By having a risk-based approach organisations link the business risk, to the IT risk and then to the cyber risks. By doing that they’re reducing the complexity and only focusing on what is risky for the organisation.
“Then, if there is some vulnerability or misconfiguration in a cloud that is detected with a tool, businesses can immediately apply the necessary measures before it has an impact on the organisation.”
People
The solution also lies with the people inside the business. After all, phishing attacks have become a popular attack method for a reason; they are successful.
To that point, Sabino added that, in her experience, businesses “are simply not doing enough.”
“The further we move away from Covid, and the more working from home becomes ingrained in our everyday lives, the clearer it is that businesses are not keeping up with what it takes to keep themselves protected. Hackers are seemingly one step ahead of everyone else, and technology is moving faster for many employees to handle.
“At first glance, businesses might think that the biggest risk to storage solutions is hacking and cybercrime. No doubt this is a very real threat, especially if the information is not secured properly, and there are no regular checks of the systems. That said, the often overlooked, and actually more pressing, concern is the risk of human error, leading to data breaches.
“This could happen on both sides of the coin: an employee working at the storage solutions may accidentally divulge information they are privy to within their work, or an employee at a business using the storage solutions may also do something similar.
“There are a number of ways businesses can protect themselves from these instances. From our point of view, the main suggestion we have for businesses is to implement regular training around data protection for employees.
“This can involve something as simple as providing definitions of GDPR, what it constitutes, and how human error breaches occur. The dangers of phishing scams, and how to spot them, can also be a good education point.
“It might sound simple, but these small improvements could save a business time and money. Ensuring to have regular training for current staff, and making this training part of the onboarding process is essential.”
Chaudhuri echoed that sentiment, adding “Storage solutions are also vulnerable to insider threats, where employees or trusted individuals misuse their privileges to access or leak sensitive data.
“Whether intentionally or unintentionally, insider threats can result in significant data breaches and compromise the security of storage systems. Implementing access controls, user behaviour monitoring and regular security audits can help identify and mitigate the risks associated with insider threats.
“Employee training is a critical component of a strong defence. Cyber Security awareness programs educate employees about potential risks, best practices, and the importance of data security. By empowering employees to identify and respond to potential threats, businesses can build a security culture and reduce the likelihood of human error leading to breaches.
“Incident response plans are crucial for effective incident management and mitigation. Businesses should have well-defined procedures to detect, respond to, and recover from security incidents. This includes establishing a dedicated incident response team, implementing incident monitoring systems, and conducting regular drills to test and refine the response plan.”
While the blame may be partially at least levelled at employees, according to Reeves, and Mole, businesses need to take responsibility for the training of staff to be able to spot potential problems, and maybe the odd phishy email.
“It doesn’t matter how much technology a business has in place if they don’t have the skill of people to pay attention to it,” said Mole.
“A few years ago, Rob Joyce, who used to be the Head of Tailored Access Operations at the NSA in America, presented at a conference and talked fairly openly about how the NSA works and what caused them problems. He said that what hackers fear the most is an out-of-band network monitoring solution that sees everything on the network and that someone is paying attention.
“If we’re going to defend networks better, we need a combination of good technology, good people, and good processes. That’s the pragmatic approach that I’m seeing more from C-level people.”
“Focusing on developing the internal security culture is key,” said Reeves. “Threat-aware staff, who are trained against their genuine environmental risks, not death by Powerpoint, are the most effective defence.
“An important question CEOs need to be asking of their business right now is how likely are your people to raise their hands and admit to clicking a dodgy link or being held to ransom? Security and risk go hand in hand but are rarely seen as bedfellows at the board level.
“Risk is often articulated at the board level through a commercial lens, but rarely seen from the perspective of cyber governance and compliance – let alone impact from those hellbent on disrupting your business. A firewall and long passwords are no longer enough.”