Here in 2019, it shouldn’t be necessary to talk about building a business case for data security. For anyone paying any attention at all to the news, the case pretty much writes itself.
This summer alone, we’ve heard about breaches affecting Capital One and MoviePass, as well as a settlement that will cost Equifax at least $650 million in consumer payouts over its notorious data rupture in 2017. Today, 2019 is well on its way to becoming the worst year on record for breach activity: According to RiskBased Security, 3,813 breaches were reported in the first six months of this year, exposing over 4.1 billion records. Compared with the same period in 2018, the number of reported breaches is up 54%. To add insult to injury, three of the 2019 incidents have made the top ten list for the largest breaches of all time.
Clearly, it’s no longer the cost of cybersecurity that needs defending. What needs defending today is the cost of failing to take cyber defence seriously. Data breaches have cost organizations untold billions in thefts, ransoms, settlements and reputational damage. And now, in the absence of any meaningful action, there is the very real risk that the public will withdraw its trust and confidence in the world of digital enterprise.
But the business case here has to be about more than the cost of breaches. After all, organizations never seem to think a breach will happen to them. And if cost alone could build the business case, it would have been a slam dunk years ago.
It may be that the better business case starts with waking up to the reality of how work actually gets done in the 21st century. Each year, the pre-digital model of a full-time, permanent workforce becomes more of a distant memory. More and more, enterprise relies on a scattered assortment of contract employees and third-party vendors, who may themselves be relying on a contingent workforce. It’s estimated that the majority of the U.S. workforce will be freelance by 2027. And when it comes to IT services alone, Gartner predicts that 50% will be outsourced as early as next year.
On the plus side, this new model of employment gives enterprises unprecedented access to a global network of top talent. On the downside, though, organizations have a new level of exposure to bad actors and incompetents, because even loyal employees and honest contractors can threaten your IT environment if there’s malware living on their devices.
It’s time for organizations to abandon the fantasy that workers can be persuaded, scolded or threatened into safeguarding data. The strategy of offloading the burden of security onto an ever-changing lineup of strangers was absurd from the start, and today, it’s just grossly negligent.
Let’s instead adopt a new approach to security, one that matches the realities of your global workforce. To us at Tehama, the approach relies on four key best practices:
1. Strong identity control
To do their work, your remote employees and contractors need access to corporate data. That’s typically granted through access privileges. But when a privileged identity falls into the wrong hands, you’re at risk. Authentication should always be multi-factor.
2. Impenetrable, airlocked work environment
A lot of work gets done today on laptops, phones and other mobile endpoint devices, each of which have been connecting to untrusted networks.If you give those devices access to your network, there’s a strong possibility that you'll be opening the door to malware. The only sure solution is to conduct your business through a virtual workspace that is impervious to intrusion.
3. Zero-trust network models
If you hired someone to water your plants, you probably wouldn’t give them the keys to your safe. But when organizations grant network access on the basis of trust, that’s effectively what they’re doing. The obvious answer is to create a zero-trust environment that applies whether work is being done by an outsider or a full-time employee. In the best zero-trust model, personnel get access only to the data they need to do their jobs. Access is granted only after the user’s identity is authenticated. And every action on the platform is audited and recorded.
4. Make the Principle of Least Privilege the law of the land.
Too often, convenience trumps consistency when it comes to protecting IT systems. That’s how a database administrator can end up with “superuser” access, even though he or she has only one task to do — compromising the integrity of the whole system. The key today, when it comes to securing corporate networks, is to trust no one.
Following the four basic best practices is easier than it may seem. In fact, Tehama incorporates all these protections and more. Tehama is a cloud-based SaaS solution that provides a rigorously secure IT infrastructure for connecting and growing your teams, no matter where they are in the world. Tehama allows you to onboard teams in minutes instead of weeks, and it gives you instant and ongoing compliance with standards as demanding as SOC 2 Type II, GDPR and NYDFS 23 NYCRR 500.
The business case for improved data security is simple and straightforward. And with Tehama, actually doing something about it is every bit as easy.