External hackers and insider threats. Customer expectations and government mandates.
Data protection is a complex challenge, and it demands attention at every level of an organization. PKWARE's in-house experts are here to help you stay up to date on best practices, emerging trends, and new resources for enterprise data security.
Throughout 2019, PKWARE has sponsored and moderated boardroom discussions at Evanta CISO Executive Summits in North America and Europe. These engaging, productive conversations have focused on key data security issues including compliance, data governance, data ownership, data retention, risk management, discovery classification, and information lifecycle management.
Updated September 2019
Data breaches are simply a fact of life. Businesses in every industry, in every country, are attacked by data thieves and malicious insiders on a daily basis. As pervasive as they are today, cyber threats will only grow more severe as time goes on—each newly-developed way to communicate or do business online creates new forms of sensitive data that hackers, industrial spies, and state-sponsored operatives are ready to exploit.
Guest blogger: Derek Brink, Aberdeen Group
In the realm of information security, the traditional trade-offs security professionals seek to balance, such as effectiveness of security, total cost of ownership, and convenience for users have been the relentless targets for continuous improvement by innovative solution providers. Anyone who has been working in this field for a length of time would have to admit that today’s security solutions are more capable, cost-effective, and much easier to use than the security solutions of 20, 10, or even five years ago.
But there were over 3,200 publicly disclosed data breaches from 2017-2018, which averages to between four and five data breaches daily. Although the median number of records disclosed to unauthorized parties was relatively small (about 1,300 records per breach), there were 114 data breaches of 1M records or greater during this two-year period – or, about one mega-breach weekly.
How can these two observations be reconciled?
Guest blogger: Derek Brink, Aberdeen Group
Data loss prevention (DLP) solutions are designed...well, to prevent the loss of enterprise data. Said a bit more formally: by “loss,” we mean the confirmed disclosure of an organization’s data assets to an unauthorized party—i.e., a data breach. Said still another way, DLP solutions are designed to reduce the risk of a data breach.
This begs an obvious question, which unfortunately doesn’t often get a crisp response: just what is the risk of a data breach? To answer this question in a way that’s useful to an organization’s senior leadership team, security professionals and solution providers have to consider both the likelihood that a data breach may happen in a specified period of time, as well as the resulting business impact if it actually does occur. That’s just the proper definition of risk.
Guest blogger: Derek Brink, Aberdeen Group
It’s hard to believe, but security professionals and solution providers have been talking about the need to protect cardholder data (i.e., payment card account numbers, cardholder names, expiration dates, and security-related information used to authenticate cardholders or authorize transactions)—wherever that data is stored, processed, and transmitted—since the 1990s.
Starting with the independently developed data protection initiatives of the major card brands (i.e., Visa, Mastercard, American Express, Discover, JCB), the industry standards and best practices for this nearly universal issue have continued to mature and evolve. From the version 1.0 release of the Payment Card Industry Data Security Standard (PCI DSS) in December 2004, to the now-current version 3.2.1 release in May 2018, one would think that everyone would have this problem fully solved by now, right?
In the 15 years since its introduction, the Payment Card Industry Data Security Standard (PCI DSS) has redefined data protection for banks, merchants, and every other organization that handles credit card data. Companies around the world design their networks, build their applications, and assign user permissions with PCI requirements in mind.
One data security risk, however, often goes unaddressed, even by organizations that take an aggressive approach to PCI compliance: credit card numbers in unstructured data.
What's the best way to protect sensitive data?
The answer, of course, is "it depends." Organizations have too many different types of sensitive information, and too many ways to store and share it, to allow for a one-size-fits-all approach. Each of the common methods of protecting data—encryption, tokenization, masking, and redaction—might be the right solution for a given use case.
Every year, we look forward to the RSA Conference, the cybersecurity industry’s biggest event. No other conference lets us meet as many security professionals, or get as many different viewpoints on what’s happening in security and where the industry is heading.
Here’s a summary of the top storylines we heard as we talked with customers, industry analysts, and other folks in the security world this year.