Forget the firewall, it's time to cosy up to your data

Businesses must go beyond the ‘perimeter’ approach to security and focus on understanding the nature of their data and managing access accordingly.

Business owners don’t need reminding that IT security can be a complicated area. The perplexing and dramatic implications of the recent eBay data breach would certainly jog their memory. With more than 145 million customer records exposed to hackers, it’s the kind of seismic event that sticks in the mind -- and keep even the most relaxed business owner awake at night.

It is small consolation to be told that effective data security for business is simpler than many realise. Unfortunately, knowing this does not make the headache go away.

It is certainly true that the broader technology landscape has shifted rapidly in the past several years. If you think about the arrival of near-ubiquitous high-speed connectivity, together with transformative technology like cloud services or the explosion of mobile devices, it is easy to get lost in complexity.

These disruptive technologies have fundamentally changed the way we do business, and this means taking a strategic approach to data security has also changed dramatically.

Business owners and senior managers are scrambling to understand how to leverage these new technology models. It’s tough, and for the non-IT professional it can be confusing. But the opportunities brought on by new technology far outweigh the headaches.

If there is one trend I would urge all business owners and senior executives to understand, it is the concept of ‘data-centric’ security.

If you think about the way IT has traditionally been locked down, it has been all about placing a secure barrier around your company’s data to keep unauthorised users out. That’s a basic description of perimeter security, and refers to firewalls and basic authentication systems that accompany them.

More evolved security organisations don’t just look at the strength of the perimeter. They are increasingly focused on what happens inside the perimeter as well.

It’s not hard to see how perimeter-focused security is unable to protect a complex environment where unsecured personal mobile devices are used as a normal part of the average workday, or where data stored in the cloud needs to be accessed anywhere and anytime.

Data-centric security recognises the increased frequency of attacks from a much broader threat vector. Perimeter security was predicated on the notion of a protectable boundary, but the sophistication of cyber threats and the sheer volume of attacks aimed at corporate users mean that this is a dangerous assumption to make.

Under the new model, perimeter security makes up just one element of a more comprehensive security strategy which includes encryption, proper software patch management and more real-time monitoring.

Essentially a data-centric security strategy focuses on establishing a better understanding of what data is held with the business systems, where it is it located, and a classification to rate the sensitivity of that data.

A folder containing, say, standard marketing brochures is not going to require the same kind of security priorities as a folder containing customer names, addresses and bank account details. A data-centric security model is about visibility: ensuring who is accessing what data, when they are accessing it, and where and how they are accessing it.

Ground Labs specialises in creating best-practice, sensitive data-discovery software. The company originally focused on building data discovery tools for PCI compliance to protect credit card details, but more recently has expanded its products to include data discovery for a broader set of personal information, covering 95 types on sensitive personal data.

In Australia, these security measures have been given a heightened priority profile by the changes to privacy legislation earlier this year that gave the Privacy Commissioner powers to impose stiff fines and onerous executive orders against companies that do not adequately protect the personal information of customers.

Currently, companies are not obliged legally to report when they have suffered a data breach. Ideally the situation will change with the reintroduction of the Mandatory Data Breach Notification Bill in March, but it’s a step in the right direction that will encourage Australian businesses to think carefully.

Technology to secure your business has never been more affordable or more accessible, and the current wave of disruptive technology presents benefits for businesses of all sizes. Keep an eye on the risks as well as the rewards, but understand that you cannot achieve data security if you don’t know where your personal information is in the first place.

Stephen Cavey is the co-founder and director of Corporate Development for Ground Labs, a global leader in security and data audit software.