According to IBM’s latest “Cost of a Data Breach Report,” the cost of a breach has risen to nearly $4.5 million per incident on average globally. While stolen data is an obvious impact of a breach, lost profits and corporate reputation can also cause significant and even longer-lasting damage to businesses. The consequences are often felt long after the initial breach as they can erode customers’ trust, lead to declining stock prices for public companies, and force businesses to raise prices to deal with lost profits.
That’s all to say, a data breach can have a massive impact on all areas of the business… but what if that was no longer the case?
Imagine a future where a breach is harmless — it’s not that they won’t happen, but they won’t matter. A company is infiltrated, attackers make their way into the network and maybe even access an employee’s device, but the data remains safe and uncompromised. And because there is no data loss, the reputational fallout is next to nothing, as organizations can confidently say that corporate and customer data was protected despite the breach.
Sounds great, right? It’s entirely possible — but only if organizations commit to a needed, if not overdue, paradigm shift in their security strategies.
A Paradigm Shift in Security
For years, the dominant theory was to build security around the network: protect the perimeter and keep bad actors out. This approach ended up being insufficient as bigger and higher walls don’t matter when the perimeter is porous. Next, the growth of endpoints and more distributed workforces created a new strategy where security was built around devices. This approach again fell short as device-based security leaves gaps when it comes to third parties with access to enterprise assets.
Building security around networks and devices alone isn’t effective. It’s time to shift the focus to building security around the data itself. This model embeds granular security controls not around devices or workers but around the digital assets to ensure they’re used only as intended. These controls travel wherever the data goes whether inside or outside the enterprise, are agnostic to the mediums through which data is shared and stored, and allow access to digital assets to be updated any time.
By securing data outside the network perimeter, organizations can retain visibility and control of their sensitive assets, even while sharing critical information with third-party collaborators. This enables them to secure their supply chain without slowing growth for the enterprise. By focusing on protecting data rather than networks or endpoints, organizations not only protect their most critical and sensitive assets but also proactively mitigate the impact of any future breach.
5 Steps to Reduce the Impact of Breaches
Here are five steps security professionals can take to reorient their cybersecurity strategy and reduce the impact of breaches:
Communicate to executive leaders why this shift is necessary: Firewalls and endpoint protection have dominated security for years, so there’s an element of change management needed. Before transitioning to a data-oriented model, you need to gain buy-in from the executive team. When preparing for this discussion, pull from recent well-known breaches like Log4j and MOVEit to highlight lost profits and reputational fallout. During the conversation, lean into other benefits this shift will usher in, such as greater compliance. Higher-level business values can resonate better with non-technical stakeholders than pure cybersecurity use cases.
Know and classify your data: After getting buy-in from executives, identify the most valuable data and classify it accordingly. To classify your data, ask questions such as: What is the purpose of the data? What format is the data in? Where does the data live? Who uses it, and are they in or outside the organization?
Develop policies that continuously protect data: When deciding the best policies for the enterprise, you must understand the data’s lifecycle (such as who uses it when, how they use it) and address the different levels of risk different groups of data might require. As you create policies, be sure to include real users of the data to create the most usable processes.
Automate your data protection: Automation is a necessary element in data security as it helps avoid human error or oversights. Teams should consider practices like automatically classifying data from certain users or teams or whenever certain information is mentioned (for example, financial statements).
Solicit feedback and prioritize usability: Rigid security policies can prevent work from being completed, leading to frustrated employees looking for ways to get around security measures. Include employees outside the security team to see what is working and what isn’t, where they may need more flexibility, and when workflow processes may be changing.
A single data breach can turn a company upside down, at times beyond recovery. But in the years to come, it doesn’t have to be that way. By evolving past outdated cybersecurity paradigms that no longer serve modern enterprises, organizations can not only develop stronger security practices but render breaches inconsequential.