"Insanity is doing the same thing over and over and expecting different results." Whether it was Einstein or someone else that said that is irrelevant. What is relevant is that organizations continue to suffer from data breaches with increasing frequency and impact. Yet, people and organizations keep doing the same thing over and over, trying to prevent them.
I keep reading and hearing of the strategies (tactics at best, in my opinion) and best practices intended to reduce the risk of a data breach, whether from ransomware, nation-state attack, or even malicious insiders. Things like zero trust, multi-factor authentication, patch Tuesday, anti-virus and firewall solutions, segmenting your network, using strong and unique passwords, using identity and access management solutions, employing intrusion prevention and detection solutions, and the list goes on. While many technologies are warranted toward reducing the risk of an attack, sensitive data is still exfiltrated. Leaving me to state that even best-of-breed technologies cannot protect the data itself.
Yes, we must protect the network, endpoints, cloud, and everything in between. That is table stakes. Consider this, whether it was Willie Sutton or John Dillinger, famous bank robbers of the 1930s, the maxim on why rob banks were because "that's where the money is." Cash held anywhere is an attractant to crime, and it is analogous to data. Replace cash with a substitute, like a wire or e-transfer, and there is nothing of value for the robbers to steal. So why are we not protecting data in the same way?
What if you could replace your data with a substitute value, a token, encrypt it, or redact it? Today's adversaries, ransomware groups, and malicious insiders would have nothing if they gained access to your organization's data. If you could provide this protection to virtually any data type without changing user behavior or business processes. You can stop the insanity by removing the data and protecting your organization so that when someone gains access to your environment, there is nothing to steal.
It is time to put sensitive data at the forefront of cyber strategies and not look to other technologies whose main mission does not include the data.
Written by Charlie Atkinson.