Asia's Source for Enterprise Network Knowledge

Monday, April 22nd, 2019

Security

Building a data security strategy – why the industry needs to work together

The growth of data’s influence on our personal and business lives over the past few years has been faster than anyone could imagine. Take for example the development of the National Digital Identity (NDI) system, where Singapore citizens and businesses will have the convenience of a single digital identity for government-related transactions that is seamless and convenient without compromising on security. In addition, the range of mobile banking applications available with biometric access gives users the ability to pay bills or transfer money at their fingertips, saving them multiple trips to the bank or even ATMs. The pace of change is set to continue – according to Data Age 2025, a report by IDC commissioned by Seagate, by 2025 90% of that data could require some level of security, but less than half may be secured.

Recent high profile cyberattack cases such as IT network breaches on at least two local universities, SingHealth’s data breach and the more globally-renowned WannaCry attacks and Facebook data breach highlight one crucial fact: it’s becoming near impossible to guarantee a 100% success rate in cybersecurity. Most of these breaches happened under the noses of some of the largest, most cutting-edge organizations, some of whom had the very best cybersecurity systems in place when these attacks took place.

It just goes to show that investments in cybersecurity also require culture shifts and improvements in the actual practices within the organizations. Companies have to be more vigilant and proactive in detecting threats early as the cost of attacks on the bottom line are just too great to ignore. This is especially critical in Asia, given that up to a quarter of all global cybercrime perpetuated happens in the region, according to a McAfee and the Center for Strategic and International Studies (CSIS) report. These high-profile data breaches and cyber-criminal activities have caused businesses across fields such as finance, transportation, healthcare and retail to recognize the urgent need for investment in data security practices.

Unsurprisingly, the security industry is well aware of this increased appetite for data security products. The market is now flooded with new products and solutions that claim to address the concerns of businesses and meet new government regulations like Singapore’s Personal Data Protection Act 2012 (PDPA) and newly-passed Cybersecurity Act 2018. A recent report from MarketsandMarkets estimates that the global cybersecurity industry could reach $231bn by 2022. According to a report by global consulting firm A.T. Kearney, Singapore spent 0.22 percent of its GDP on cybersecurity, higher than the global average of 0.13 percent.

While increased spend can be a good thing for data security, there’s a danger that in the rush to be first to market with new products and services, security providers are failing to see the bigger picture. Security is a circle, not a line: every actor involved in the handling and processing of data has responsibility for ensuring its security. What this means in practice is renewed focus on areas of hardware and software protection that have previously not been front of mind or received large amounts of investment from businesses, with security at the drive level being a prime example.

A problem of silos As with so many issues in IT, the problem starts with silos. Data today moves frequently, and that increases security risks. At the moment, everyone involved in the handling and processing of data, from network providers and cloud software firms to hardware manufacturers, have their own techniques for securing their small part of the data value chain and rarely think beyond that.

This becomes a real problem when the global data environment becomes more complicated. We’re seeing the rise of IoT, embedded systems, machine learning, and real-time data analysis – all of which can be used in complex systems such as autonomous vehicles and drones. The more steps in a data transfer, the more opportunities there are for malicious players to infiltrate the system. Hackers would usually gain access to secure networks and databases through a variety of means such as phishing or installing customized malware to workstations over time before the attack.  

In order to provide their customers with the most secure environments possible, security vendors and specialists will need to stay ahead of the way businesses are implementing their technologies, what other products are used in the same stack, and how these different products can work together to create a circle of protection for customer data.

Security at the drive level In a world where data owners are under constant threat of attack from the next WannaCry, it’s important to make sure every link in the security circle chain is in place, and that all aspects of hardware and software that handle sensitive data have adequate security features. A recent Thales Data Threat report found that data-at-rest security tools are consistently rated as the best way to protect data once attackers are inside the walls. Data-at-rest encryption functions as a last line of defense: if a malicious actor manages to breach outer layers of security using hacked or fraudulent credentials, hardware-level encryption can protect the organization from data theft.

However, despite the clear benefits, this kind of encryption lags behind other areas, such as network and endpoint security, in terms of the investment it receives. The same Thales Data Threat report found that data-at-rest security received some of the lowest levels of spending increases in 2016 (44%), versus a 62% increase for network and a 56% increase for endpoint security.

Completing the circle According to a ThreatMetrix report on cybercrime, Asia Pacific has seen a 45% growth in cybercrime year-on-year, with the highest global levels of device and identity spoofing attacks. Defending against these kinds of attacks is only becoming more challenging.

Take the huge number of businesses that use cloud-hosted services, for example. As more and more data is stored in the cloud, businesses need to prepare for major security breaches when cloud technology fails. And there are many examples of it doing just that. Likewise, the rapid development of blockchain technology and more advanced malware attacks both present far more serious and advanced threats than businesses are accustomed to dealing with.

There is no singular answer to these different threats – and that’s really the most important point. Security in this new era requires multiple complex defense systems to be operating harmoniously with each other. These systems – including encryption at the drive level – need to be in communication with each other and form a circle of security around sensitive data. Industry players in the security space must collaborate as well as compete if they are to serve their customers effectively.

 

Robert Yang, Regional Vice President, Asia Pacific, Seagate Technology