Management Musings 1: Pay attention to all data-centric security
Most data security practitioners are not and part of this ignorance is due to well-known analysts.
Remember the cyber-attack on the Berlin Chamber Court?
To those interested in Digital Transformation, IT and Data Security we have seen an ever-increasing number of security breaches globally. So, we are used to bad news and we all work diligently to fight and put up defenses. However, the recent news update of an incident from September last year must leave everyone speechless. I am referring to the cyber-attack on the Berlin Chamber Court. They handle very sensitive cases including terror related cases. In focus is the trojan named ‘Emotet’. The hack was by far wider and much more serious than as initially disclosed. Forensic reports state, with high level of confidence, that the attacker was able to access and extract the entire data and file system of the court. This after a week earlier the city districts of Brandenburg and Potsdam were successfully breached.
Have you read our blog ‘Data breach in Germany: Who will pay the GDPR fine this time?’
Are infrastructure and network security enough?
It is remarkable that after so many breaches and serious problems security experts still believe infrastructure and network security is the key solution to protect sensitive data. It seems to me that we still see amazing ignorance and complacency in our security business. Sometimes I think well-known analysts are part of this ignorance. When someone says that data-centric security is optional, all followers out there tend to give it low priority and, if push comes to shove, drop this topic from the investment priority list. These analysts provide the backdrop for decision makers to argue “well, I am just following what they say”.
I believe our colleagues out there must really review priorities and pay attention to achieving data-centric security for all data. This includes data downloaded from internal systems to mobile devices or cloud storages. The conclusion that such data centric security is optional is extremely risky as advice. In fact, it is a mandatory component of every effective IT security strategy today to extend traditional perimeter security. If data are always encrypted – at rest, in transit or in motion – we can all sleep better. I just don’t get it as to why this apathy still lingers around. Maybe it’s top management that is ignorant and prevents our colleagues to spend the money to get the job done, but they should be aware that they are riding a tiger.