Commerce is built on the concept of the value chain. The notion that you can take something of relatively little worth and, through various processes, increase its value is fundamental to a sustainable global economy. And, in the early part of the 21st century, it is “data” that gives rise to perhaps the most significant contemporary value chain of all.
Now, I’m not saying that data is new. After all, the Babylonians conducted the first known census nearly 6,000 years ago. So, what makes the data we collect today more attractive? I contend there are four key factors that come into play nowadays:
- The sheer volume of data that is collected.
- The frequency at which data is collected.
- The accessibility of the data.
- The ability to process the data.
Today, anything can be a device, or a ‘thing’ – a car, a phone, a fish tank – and they all collect data. As the Internet of Things (IoT) proliferates, so will the data that is collected. And because these devices are connected there is a constant stream of data, be it about your location, your browsing habits, or what you spend your money on. But just because data can be collected does not, in itself, make that data more valuable.
While it’s true to say that data volumes are increasing exponentially, as already mentioned we should not lose sight of the fact that data has always been collected. However, much of that data was inaccessible – paper documents stored in warehouses or magnetic tapes stored in libraries. Today, data is electronic, accessible from anywhere, and is shared and traded amongst organizations instantaneously.
The final link in this value chain is our ability to process this data. In other words, we refine what is basically a raw material into something that yields intelligence, insight, and, ultimately, wisdom. This is the data value chain and organization’s that understand its significance can prosper. And this is why it is also of interest to hackers.
So now we have the raw ingredients, what does the data value chain look like? Think of the raw data as a collection of unassociated facts, log files, and records. It sits at the bottom of the pyramid (see figure 1) and, like crude oil, needs refining to deliver value. The next stage is to bring together relevant data elements. For instance, it could be associating a bank account number with a name and a series of purchase records. This gives us information, something more meaningful that we can work with and, of course, something more valuable. But the story does not end there. The information stage is predominantly reactive, it allows you to know what has happened but not necessarily why.
Figure 1: The Data Pyramid
The next stage is knowledge. By interpreting information, we can begin to understand why events happen; Joe is related to Josephine, it’s Josephine’s birthday so Joe goes shopping for a gift. This allows us to predict. For instance, in the example I’ve just used, it’s likely that Joe will go shopping around the same time each year to buy a gift for Josephine. Finally, we have wisdom. At this stage, we can use knowledge to make decisions and determine actions; understanding what is happening and why it is happening enables us to be proactive.
- Data can be assimilated more quickly than ever before from multiple, diverse sources and locations.
- The value of data grows as it ascends the Data Pyramid and acquires knowledge and wisdom.
- As the value of data increases to your organization, it also becomes more attractive to the cyber-criminal.
Throughout its rise through the pyramid, the data’s elements remain the same. Their value increases because of the way they are combined with other data elements and how this enables organizations to move from a passive to proactive data stance. For instance, more customer insight enables a greater degree of personalization which, in turn, should lead to more customer engagement and ultimately sales.
But we all know that data underpins every successful business. Shipping companies are lost if the data isn’t there to tell them where to collect and drop containers. Banks can’t function unless they have real time access to trading data. And retailers cannot keep their shelves stocked unless the data that tells them goods are needed (and in what quantity) exists. Whether it’s business, the process of government, research or medicine, our dependence on data will continue to grow and the consequences of that data being corrupted or denied grows too.
Yet the amassing of data, especially about customers and prospects, is for many organizations becoming the rope by which they hang themselves. New regulations, such as General Data Protection Regulation (GDPR – www.eugdpr.org ) mean companies must have the right storage, security, and processes in place to protect this high-value commodity.
And, not only are the regulators keen for you to keep an eye on the data, so are your customers. The value of your data is only sustained if you can protect it. As soon as a breach occurs the effect on customers can be immediate. Many may lose their trust in your ability to store their data and, under GDPR, can demand all of their information be removed from your systems. Ultimately, many may simply never buy from you again, nor recommend you to others.
So the challenge for CISOs is that while more data helps the organization make better business decisions, keeping that data secure is costly and more risky than ever. With data in various places, from CRM systems to personal inboxes, networks to databases and third-party clouds, securing it all is no longer achieved with an endpoint solution.
- The way we access, correlate, and use data will continue to evolve driven by technology.
- New legislation, such as GDPR, is enforcing tough security, process, and access rules on companies who amass customer information.
- While data has increased in value, the cost to an organization of not safeguarding it effectively will escalate.
New Data, New Rules
Securing data inside a perimeter is a relatively easy task. But who operates within a perimeter these days? Datacenters, public cloud, private cloud, business application hosts – your data resides in them all and in today’s world, there is no perimeter. So as a CISO, ask yourself this: why is your organization still playing by the old rules of perimeter security when the perimeter no longer exists? The network is the common factor that connects everything, so why not consider the network as a key component of your security?
You own your data and, under GDPR, you need to know where that data is and what applications are using it at any given point in time (in a recent poll Juniper conducted, 43 percent of respondents admitted they did not know where their data is stored)1. But you use many third parties to store, transport, and retrieve your data so how do you define the boundary of your network? And your organization needs access to this information in real-time to enable business agility and faster decision making. As much as we may instinctively want to lock the systems down Fort Knox-style, this defeats the object of collecting the data in the first place.
But, as I’ve mentioned, not all data is created equal, so investing in a blanket approach to security may not be cost-effective nor operationally expedient. How would your security posture change if you knew where your most valuable data was stored? By having intelligence in the network and investing in real-time security, you can have a better overview of what’s going on and can respond accordingly. You can balance the level of investment against the relative value of specific data.
- Perimeter security is no longer a viable option, instead focus on securing the network.
- Avoid locking systems down, this defeats the object of collecting data for an agile business.
- Balance investing in security with the value of sub-sets of data that are to be stored.
According to Gartner, By 2020, there will be 20.4 billion installed IoT units globally, 63% of which are consumer related2. Just think of all the data this will generate, especially as the “network effect” (where the value of the network multiplies each time a new user is added), kicks in. Even if you are not actively investing in IoT (yet), your customers, partners, and suppliers will be and they will be sending it to your network and feeding your data mountain so you can make more informed business decisions, more quickly.
But all of this means more opportunities for the cyber-criminal. At some point your network will be exposed to an IoT device that is insecure – not a Windows PC or a MAC, but a vending machine, a CCTV camera, or a refrigerator. So, you need to think laterally when considering your network security posture and you certainly need to deploy something today that can easily be adapted in the future.
Over 357,000,000 new malware attacks3 were initiated globally in 2016. That’s over 29,000,000 every month. There is no way this volume of attacks could be written by individual hackers. Automation is now intrinsic to cyber-crime. The days of “monthly bug fixes” are long gone; today it’s all about instant responses to stay ahead of fast-evolving malware, so automation should now be part of your defense too. Only automation gives you the ability to analyze what’s happening on your network, identify abnormalities, and then fix or flag it before damage can be done.
Educating your workforce is still an important tactic but sometimes the publicity given to the major attacks that succeed can be counter-intuitive. Like terrorism, most of us only hear about the attacks that succeed and not numerous attempts that are thwarted. This can make us blasé in our general approach to security, so education on the latest techniques remains critical.
Use machine learning to identify a problem quickly, then automation to remediate the issue. With this principle, all connected devices will be updated and protected. By using automation to execute the repetitive tasks, your valuable IT resources can be freed up to focus on other business-critical initiatives such as digital transformation.
- Automation is now responsible for proliferating the majority of malware.
- The only response is to have automated security that can quickly detect any network anomalies.
- Automated security leaves your team free to innovate more and the need to fire-fight less.
- Flexible networks that adapt to the threat horizon can help keep your data secure.
We are now all data addicts. More and more data is piling into your organization every minute and it needs to be processed, stored, and accessed if organizations are to thrive. More importantly, it needs to be protected and secured.
But, as the data value chain evolves, it increases in value not just to your organization, but also to cyber-criminals. As the latter develop ever more sophisticated means of threat, you must stay one step ahead. But that becomes more challenging in a world of IoT and a world where the perimeter no longer exists.
We can stay ahead of ever more sophisticated cyber-criminals by adopting flexible, programmable networks that adapt to the changing security landscape. By leveraging the power of the network, you can build a platform that intelligently keeps your data – and your business – safe and compliant.
You can subscribe to my regular podcast – Security Straight Talk – through iTunes. https://itunes.apple.com/gb/podcast/security-straight-talk-by-juniper-networks/id1296440569?mt=2
Or visit our web page www.juniper.net/security-straight-talk for more blogs, videos and articles.
1 – Juniper Networks, “Security and the de-Commoditization of Data,” 2017, webinar. http://event.on24.com/eventRegistration/console/EventConsoleApollo.jsp?&eventid=1471139&sessionid=1&username=&partnerref=&format=fhaudio&mobile=false&flashsupportedmobiledevice=false&helpcenter=false&key=42973FC74CEBC753E297CE6038ED1B0E&text_language_id=en&playerwidth=1000&playerheight=650&overwritelobby=y&eventuserid=178162251&contenttype=A&mediametricsessionid=147751638&mediametricid=2112853&usercd=178162251&mode=launch
2 – Gartner, Inc., “Forecast Analysis: Internet of Things – Endpoints, Worldwide, 2016 Update,” February 2017, Peter Middleton.
3 - Symantec Internet Security Threat Report April 2016 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
“You must not rely on the information in this blog as an alternative to legal advice from your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information in this blog.”