The global pandemic unexpectedly forced many organizations to quickly adapt to remote working, accelerating the transition to a distributed workforce. This trend, coupled with the recent surge of cyberattacks carried out across business sectors, has left organizations scrambling to secure sensitive data in hybrid and multi-cloud environments. As companies continue to operate across a distributed workforce, it’s essential for organizations to revamp data governance, with data security playing a pivotal role.
It’s also important to note that the picture of data governance has been incomplete without accounting for security. But despite this significant change, organizations mistakenly trust that they have complete data governance anyway. As modern data infrastructure and its risks change over time, companies need to include elements of both control and security in their data governance strategies to reflect the changing data landscape.
When Traditional Data Governance Compromises Security
Data governance used to be relatively simple to define; it originally required handling data quality, metadata management, discovery, and classification. But traditional data governance has its limits—it doesn’t take security into account and often leaves companies, customers and data at risk. Companies struggle to protect access to sensitive data—in fact, this is the leading cause of cyberattacks almost every year.
Verizon’s 2021 Data Breach Investigations Report (DBIR) named stolen credentials and phishing as the top causes of cyberattacks, highlighting that companies have been reactive and slow to move to security models that will proactively protect access to sensitive data. The following are some common pitfalls companies face when they fail to secure data access:
- Credentialed access threats give hackers unwanted access: Stolen or compromised credentials remain a top cause of all data breaches for the fifth consecutive year. According to the report, 61% of breaches involved credentials, and the use of stolen credentials was present in 25% of breaches in 2020. Credentials are an incredibly sought-after data type that continue to compromise data security and provide hackers with an entry point to compromise larger networks and systems.
- Phishing for more data: Phishing incidents jumped significantly in 2020 as companies transitioned to remote work, highlighting security challenges faced by organizations and their employees. Threat actors have shifted their focus to individuals and their ability to become unwitting threats to their own teams. This targeted approach allows bad actors to enter organizations and steal user credentials and data with increasing sophistication, escalating the breach crisis.
Data breaches have already affected hundreds of millions of individuals around the world as companies increasingly rely on their consumer and personal data to run. No industry sector is safe—threat actors have targeted companies from healthcare to financial services because personal information is such a highly-valued data type.
For example, a lone hacker gained access to Capital One’s servers in 2019, exposing the personal data of over 100 million customers in one of the largest data breaches to date. The breach compromised customers’ social security numbers, bank account numbers, in addition to people’s names, addresses, and credit scores. Financial institutions work with large volumes of sensitive customer data, which makes them a continually rich target for threat actors.
Telecommunications companies, which control and operate critical infrastructure, also face high risk for cyber attacks. Most recently, a bad actor compromised T-Mobile’s systems and exposed the information of over 50 million people. This breach exposed names, birthdays, PINs and social security numbers from current, former and prospective customers. Telecommunications companies work with sensitive customer information and are often victims to data breaches. Recent cyberattacks, such as the T-Mobile breach, have further highlighted the need for stronger security protocols to protect sensitive customer information.
So with so many sectors at risk, how can companies integrate data security and data governance strategies to prevent a compromise from happening in the first place?
Breaking Down the Silos
It is not enough to protect sensitive data, as traditional access controls to data don’t provide visibility into who is consuming the data, when and how much. These are essential tools for real-time security and control of data—rather than a theoretical idea of who might have access. Well-intentioned leaders need to address today’s threat landscape by coupling diligent data governance with data security.