In July 2019, the Marriott International chain of hotels was fined US$123 million for leaking the data of more than 380 million hotel guests in the UK.
One topic common to CXOCIETY roundtables attended by senior leadership in Asia – regardless of their function – is the topic of security. While some may even acknowledge a lack of strategy when it comes to digital transformation, and even a dis-interest in the cloud, nearly all acknowledge the importance of data security.
Data or information as an asset is still in the early adoption phase – making it a competitive differentiator for leading organisations intent on quickly monetising the benefits of digital transformation.
However, in the rush to digitally transformation, organisations often focus on the creation and mining of data – not its protection. Hence, we see an escalation of scale, frequency and intensity of data breaches.
As Tim Norris, product and solution strategist for RSA Security wrote that security and risk management leaders face unprecedented challenges as they strive to support the business through the digital transformation journey while minimizing the risk and potential negative business impact from increasing digital operations.
“While some of these risk areas seem straightforward or business-as-usual, the reality is that the ways in which organizations need to manage these risks and work across organizational silos in business, risk management and security are drastically different than it was in the past. This shift is reflected in emerging trends in security and risk management,” he opined.
“The simple thing to understand is that in today’s digital economy, it’s all about data,” said George Lee, vice president for Asia-Pacific and Japan for RSA.
“The higher the wall, the bigger the wall – the better - or so many believed,” he added.
Unfortunately, this strategy will not work in the digital economy. The digital business model is all about being connected to customers, business partners and suppliers. As a result, the data is no longer confined to the enterprise’s data centre.
“Data is everywhere – in the data centre, in the cloud, and on mobile devices. Data is everywhere. It is really about data means the most [to the business]. Whatever [security] approach the organisation is taking should be directed at what is most important to the business,” he continued.
Lee acknowledged that most organisations will not be able to protect everything. There will be a point in the future that a breach will occur [if it hasn’t already]. “The [security] wall will never be able to hold off all attackers,” he acknowledged with carefully worded caution.
He also noted that insider threat is real and ever-present. He observed that most media coverage and discussions about data breaches seem to pin the blame on external forces for such occurrences.
“Nobody looks inward. If you have an organisation of 70,000 people, can you guarantee that every person shares the same commitment to integrity? A company should take a risk-based, data-based approach to how data is to access, by whom, for what purpose, and for how long,” he advised.
Gartner referred to this as privileged access management. Hackers are looking for people with special access to information or projects which can be monetized.
In the case of the Marriott data leak, the incident was attributed to poor monitoring of efforts and employee negligence – activities that Gartner says are preventable had the IT systems been secured from internal threats.
Internet threats – it is astonishing that in a period when trust is what binds organisations and humans more closely, it is also the most often ignored piece of the security strategy that all enterprises seem to fall victim to.
RSA’s Lee noted that a lot has changed over the last few years, suggesting a need for organisations to revisit their data strategy.