The War On Data: Three Defense Mechanisms Your Business Needs To Adopt

This blog was originally posted to the Forbes Technology Council.

We have entered an unusual new age of security. The Colonial Pipeline incident, which cut off a major source of fuel for the Eastern United States, was a reminder that bad actors are operating within our borders. They might not have physical boots on the ground, but malicious independent groups can access and disable critical systems. They can shut down major hospitals and infrastructure. They are here, and they are powerful.

Too often, we write off these agents as anarchic hackers, hooded figures hiding out in basements, operating only for their own gain. This may be true in some cases — except for the clichéd hoodie — but we also face state-sponsored agents carrying out cyberattacks in the U.S. and around the world. Our intricately networked world means that foreign agents can cause massive damage, invading our territory without leaving home.

As a nation, we have long been focused on protecting our physical assets. Today, though, nearly all of our physical goods have a digital manifestation — our bodies, too, in the form of personal health information (PHI) and other data. Everything in our physical world has a mirror in data, and hackers can impact that physical world if they can access this data. Hackers did not literally shut down the Colonial Pipeline. They tied up the data that is critical to its operation. But they might as well have closed a valve to stop the flow.

We are going to see more attacks like this one. Hackers are tantalized because companies will pay large sums to avoid multi-day business disruptions. So, what do we do?

We change how we think about data security. Both our digital infrastructure and our general approach to security are woefully outdated. There are larger problems to be addressed at a national and international level, especially as countries like North Korea train increasingly sophisticated armies of hackers. Global enterprises can take a few steps to reduce the risk that they become the next enterprise victim. A good defensive strategy relies on strong, mutually supported positions in order to minimize damage and also be able to recover from damage as quickly as possible. Here are a few places to start:

1. Organizations need to limit how much data is accessible to end users. Access to information is an essential feature of an open and free society, but one of the well-known rules of digital security is that people are the weakest link. As an organization, you can do everything possible to secure your networks and data, and follow all the best practices, but all that work will be in vain if one person clicks on the wrong link. Educating all of your organization’s end users is a great first step, but why not put stricter policies in place that limit their access? Why not do a little extra work to ensure that end users in marketing or customer service cannot access critical infrastructure systems?
2. Two-factor authentication should be standard. How is it that all large companies are not using this already? Without it, anyone can log in from anywhere to access data. We do it for convenience. Especially now, as more users are working from home, companies want their employees to be able to access their data from anywhere. Without two-factor authentication, though, this makes it easier for malicious agents to infiltrate your network as well. I am not advocating mass network lockdowns. Not at all. But we do need to modernize how we think about what specific users are allowed to do as they roam the information space.
3. Stop relying on old data protection solutions that were designed for a few offices with a few TBs of data. As the recent wave in ransomware and other attacks grow in sophistication and complex multinationals become ever more dependent on data in all its forms, our methods of protecting critical data and systems need to evolve in kind. Large enterprises relying on backup, for example, will need to head back to the IT whiteboard, as this outdated solution fails to protect companies against large-scale ransomware attacks, which often leave victims offline for days or even weeks at a time.

The Colonial Pipeline affair will not be a one-off incident. The impact of that attack will only embolden malicious hackers. A war on data is underway, and we need to rethink how to defend ourselves. Is your organization prepared to prevent as much damage as possible? Do you have solid recovery plans that can unwind any inflicted damage? The next attack is coming. It is only a matter of when, and whether you are ready.