If Data Is "The New Oil," How Should Enterprises Protect These Assets?

Rashmi Gopinath, General Partner, B Capital Group

In 2017, The Economist published a report called, “The world’s most valuable resource is no longer oil, but data.” Since then, data has become a critical competitive advantage for most successful businesses, and those who are able to manage proprietary and third-party data can derive insights that drive better business decisions. But the available supply of data has exploded to a point that many enterprises are overwhelmed, and struggle to even have basic visibility across their data sources and software supply chains.

Consider the exponential growth curve data is on today. Over 90 percent of the data the world has ever created was generated in the last two years, and we collectively create 1.2 trillion MB of data daily. IDG estimates that companies access, on average, over 400 different data sources, and 20% of organizations pull data from 1,000+ data sources, many of which contain sensitive Personally Identifiable Data (PII), Protected Health Information (PHI), or financial information.

If data is indeed the new oil, how can enterprises manage and protect their most valuable assets?For startups creating solutions for a “data-is-oil” world, the possibilities to deliver value to enterprises are nearly endless if you understand the challenges keeping your potential customers up at night.

Tools that Holistically Manage Data Inventory, Storage, Deployment, and Security

Enterprises often struggle to establish complete visibility across fragmented data silos, especially “dark data”(unstructured and unutilized data, typically stored in log files or archives). Companies need audit and discovery tools that identify sensitive data and ensure it is properly protected with security controls that meet compliance and regulatory requirements. Additionally, the right encryption, data anonymization, and redaction technologies can both protect and control sensitive data at-rest and in-motion. Advanced encryption technologies such as homomorphic encryption allow companies to use encrypted data without requiring decrypting, thereby eliminating the risks of compromise.

Next-generation Security made for Modern Ways of Working and Evolving Threats

Many companies have faced a variety of hacks and breaches this year stemming from a hurried transition to distributed operations and at-home workplaces due to the Covid-19 pandemic. The breaches have been wide-spread and industry-agnostic. Over 8.4 billion records were exposed in the first quarter of 2020 alone!

A highly publicized Twitter hack of 130high-profile accounts, including Barack Obama, Jeff Bezos, Elon Musk, posted fake tweets offering Bitcoin transfers that resulted in people losing thousands of dollars. This breach was executed through a spearphishing attack on Twitter employees’ mobile phones that gave hackers access to employee credentials. Marriott suffered a breach that exposed data of more than 5.2M customers when hackers obtainedlogin credentials of two Marriott employees. Aside from brand damage and other business losses, the hefty penalties for these breaches amount to hundreds of millions of dollars (Equifax: $575M, British Airways: $230M, Uber: $148M, Marriott: $124M).

New approaches to cybersecurity have become mission-critical to protect employee credentials and customer information in an age where “home is the new office” and employees work without enterprise firewalls. To take on these new threats, companies must conduct an asset discovery process on all technology ecosystems. This means cataloging all software and identifying what was internally developed, produced by third-party software vendors, or taken from open source libraries and API access points, as well as inventorying hardware assets such as computers, servers, storage devices, and other infrastructure.

Companies will also need continuous testing solutions that test cybersecurity defense mechanisms by trying to break into these assets. Additionally, companies must deploy effective security tools to protect against email and phone-based phishing attacks, keep security patches updated, and train employees and contractors on security awareness as fully and partially remote work continues in perpetuity.

Proper Controls and Processes that Provide Appropriate Admin Access

One of the most common culprits of data vulnerability is inadequate policies guiding privileged data access. Most enterprises are shocked to learn about hundreds of admin accounts that have been created over time across internal systems, many of which remain unused with old passwords, making them extremely vulnerable to hacking. Companies will need to adopt “least privilege” models to ensure most teams can complete necessary tasks with the absolute minimum permission setting, preventing access to most data. Access management solutions can help detect unnecessary logins, using zero-trust strategies to grant dynamic privileged access on a just-in-time basis. Companies will also need to implement and train teams on explicit policies and procedures for handling sensitive data and regularly audit these policies.

As data becomes the most critical asset to all businesses regardless of size or sector,security is more important than ever. Companies have moved security spend from cost to revenue centers after seeing the positive impact of data protection on both customer trust and revenue growth. Startups have an opportunity to play a role in protecting these valuable “data oil fields” with solutions that bring data security into every division and level of an organization and solve for threats and vulnerabilities as they emerge.