Digital transformation was an undercurrent for businesses well before the COVID-19 pandemic. Since then, organizations have transformed more dramatically. They adopted new business processes, improved access for remote workers and now engage customers in entirely new ways. McKinsey finds that consumer and business digital adoption has made an astonishing leap of five years in the span of just two months.
Over the past year, transformation was seen as a way to survive, but increasingly, it’s helping businesses to thrive. In fact, 75% of CEOs claim the pandemic has created significant new opportunities for their company. Amid all of these changes, IT management has found itself center stage as hero and enabler, accelerating digital change through innovative new applications and customer services.
With transformation, though, comes unprecedented risk. Too often, projects are accelerated for the sake of the business while data security is forced to take a backseat. Prioritizing speed over security will come back to haunt organizations, as data is exposed to unsafe levels of risk that could result in fines, reputational damage and operational disruption.
Has COVID-19 killed the network perimeter forever?
Over the past year -- driven by the global pandemic -- the traditional network perimeter was blurred, and in most cases, dismantled. While organizations scrambled to enable effective remote work in 2020, security teams in the New Year will be forced to grapple with the question of how to protect data in this new boundaryless environment.
Gaining visibility into who has access to what, when, and with what level of privilege, will become a central challenge for businesses to reckon.
Despite the growing complexity of the evolving IT landscape, many organizations are not involving their security teams in these transformation projects. One study finds that 93% of global IT leaders delayed security initiatives at the start of the pandemic, while a separate study revealed nearly half (47%) of cybersecurity professionals were taken off some or all of their typical security tasks to support other IT-related projects.
Cutting security out is never a good idea, but it’s especially risky when IT modernization is rapidly disrupting the business landscape. At times like these, security is needed to help manage and identify the unpredictable risks that can quickly emerge.
Looking closer to home
With time and resources in short supply, organizations must focus on their greatest areas of risk. One thing all modernization projects have in common – whether it’s a restaurant launching a delivery service or a bank introducing new digital experiences – is that they’re fueled by data.
Why then is securing data often an afterthought? Organizations are too often distracted by headline-grabbing cyber-attacks and concern themselves with throwing point solutions at the challenge of keeping the bad guys out. Ironically, the real risk is closer to home.
Unintentional cloud misconfiguration, account misuse, empty or weak passwords and publicly exposed databases are all the result of insider threats. In fact, according to data from the Information Commissioner's Office (ICO), nine-out-of-ten data breaches are caused by internal, not external, incidents.
The issue of data security is compounded by the expensive and inflexible tools that exist to address the problem. Database activity monitoring (DAM) tools often don’t provide the scalability, visibility and control needed to protect critical databases across on-premises and multicloud environments. Too often, organizations are running multiple point solutions for each database, underpinned by manual processes, that do not plug into security information and event management (SIEM) and other tools. As a result, security teams cannot see the full picture or apply consistent policies and controls to data.
By design and default
Ultimately, tech modernization cannot leave security in the dust. Doing so will result in a breach that will result in a costly fine and reputational damage. A core principle of the GDPR is that data protection be deployed “by design and default” - as an essential component of any IT system or business service. While this regulation has been around for nearly four years, many organizations still fail to do this adequately.
Organizations need to take an “inside out”, not “outside in” view, focusing on internal processes and people to ensure data is protected from exposure throughout its lifecycle. Risk management should be built into the foundations, and always start with the data. Security teams need to know where the data is at all times across all environments, how it is used, and who has access to it before applying appropriate controls.
Successful data security needs to be automated, simplified and unified, eliminating the complexity of dealing with multiple database environments by capturing and centralizing database activity from all sources. This all-in-one approach enables consistent reporting, alerting and analytic dashboards, regardless of data location and type, enabling visibility into cloud-based databases. Finally, AI analytics are needed to support proactive, preventative data security. The technology can identify suspicious patterns human eyes might miss, while delivering contextually rich data to other security tools or stakeholders that need it – such as SIEM platforms and incident response teams.
A new era
A new era of remote work, digital-first and cloud-everywhere is now the norm. While this is to be welcomed, organizations can only benefit if they first address the elephant in the room: the security of their data.
- Chris Waynforth, Area Vice President at Imperva.
- We've featured the best business VPN.
