Data is pretty important to any business these days. Many people claim that data is the most important asset you can possess, with more utility than capital assets and with more meaningful (though often latent) insights than a host of human capital. Data reflects your entire business: your intellectual property, your industry, the broader market trends, the pain points and needs of prospective customers, and your actual customer base. It’s all in there, embedded within the data your company collects, analyzes, and stores. Given all of that, I don’t think that it’s a stretch to say that data is more precious than gold to your company.
I like to think of it another way, though. Data is the lifeblood of your organization, providing everything necessary to live and prosper. Companies large and small are like organizations within a larger ecosystem, and simple biology explains that for the organization to compete and thrive, it must have its basic sustenance. For mammals, that’s energy and oxygen, and the other nutrients coursing through the bloodstream. Cut this off or obstruct it, and that’s pretty bad. Get cut deeply and leak too much—that’s really bad. Leaks of all kinds lead to no good in this world. Another way data is like blood.
Gold is static. It is inert insofar as a lump of precious metal is concerned. It doesn’t serve much purpose other than to be what it is, so aside from the value we humans place upon it, gold is pretty much an attractive paperweight but can’t in and of itself sustain you in any biological sense. Your blood is dynamic, always moving and flowing through your veins and arteries and providing multiple necessary tasks to sustain life along the way. It follows these pre-defined channels and carries out its designated actions and biological processes, much like the workflows that your data courses through within your business. I hope at this point I have sufficiently convinced you that blood, not gold, is the more appropriate metaphor to describe the unparalleled importance of data to your organizations.
I am belabouring this comparison to get to the ultimate point, which is that if data is such an important asset—the veritable lifeblood of your company—shouldn’t it be zealously protected with whatever resource is necessary to preserve it, to keep it safe, and to keep it flowing? I am sure that if I inquire of any business whether they do or don’t protect their data, the answer will always be affirmative. Of course, we protect our data! I was brought up never to ask a question to which I knew the answer, and I think that that question is one of them. The better question, the answer to which provides better insights about the nature of data protection, is how do you protect the lifeblood of your organization, which is your corporate data? That question should lead to much more interesting and revealing answers if you happen to ask your colleagues and IT supervisors.
Most organizations use a combination of processes and IT applications to protect data, from border-guarding technologies (think firewalls and intrusion detection mechanisms) to identity verification technologies (to authenticate that you are who you say you are), and access technologies (to make sure you as the authenticated identity actually have permission to view and work with whatever data resource you’re asking for). Cybersecurity is actually much more complex and comprehensive than this description, of course, but from a top-level view, these are the general ways that businesses protect their data.
An often-overlooked mechanism for guarding data is protecting the data itself. Most people are aware of encryption as something that usually happens to their entire storage volume within their laptop, but from an enterprise perspective, this type of data-centric security—encryption, tokenization, format-preserving encryption—should be applied to all critical, sensitive data within your corporate workflows. Each method has its benefits and drawbacks, but when it comes right down to it, if you aren’t relying on data protection applied directly to your data, then that means it’s readable and comprehensible to anyone who gains access to it, even if that person doesn’t have the right to be accessing it.
At that point, you have a data leak, and as I stated earlier, nothing good comes from a leak of either your blood or the lifeblood of your enterprise. For the latter, at least data-centric protection can mitigate the risk of sensitive information being disclosed in the leak. And that’s a bloody good reason to consider data-centric security.