What motivates the bad guys? Hackers are driven to our data for two, simultaneous reasons: they are after the “easy money”. “Easy”, in that right now there may be a hundred thousand potential ways of getting access to data, so why make it too hard? And “money”, in that some data is worth far more than other data.
If you wanted to draw a graph, the best targets would be in the top right. As a simple analogy, if you were a burglar casing a housing estate which properties would you target – the ones with the bars on their windows and burglar alarms, or those without? In reality neither — the chances are you would go for the garages and sheds, heading for the push bikes and power tools.
Some pundits are saying that data is the new oil, precisely because its value is growing phenomenally but remains relatively unexploited — and that data needs to be refined for value to be extracted. Many organizations are sitting on information assets of huge worth — just because they are not making the most of them doesn’t change that fact. So, which data assets can be valuable and to whom, for better or worse?
Data about customers and processes is intrinsic to what makes a business tick so its cost is more straightforward to measure, not least in terms of how much the business can afford not to function without it. This is the traditional driver for availability aspects of data security, not to mention business continuity and disaster recovery calculations.
But, as advocates of big data analytics tell us, such data has far broader value particularly if it is analysed as a whole. For example, information on customer preferences or usage patterns could be aggregated and interpreted to determine, for example, the impact of weather patterns on product sales. While examples such as the classic that vegetarians are less likely to miss flights may not be applicable to everyone, they illustrate the value of linking disparate data pools.
Industries such as retail and technology already benefit from research firms that can analyse information from across the market and deliver any insights back. Alternatively, organisations could sell their own research or market insights — we are seeing such federated approaches appearing in industries such as pharmaceuticals. Such models are moving up a gear across numerous verticals, for example utilities companies are considering how third-party data brokers could aggregate real-time usage data and return pricing recommendations.
What of the dark side of all this analytical activity? In this context, data exploitation could be as simple as selling the information to other parties — it’s not much of a stretch to consider a grey market for dubiously obtained market or corporate data, for example. Want to buy the salaries database of the world’s top banks? They won’t tell you but someone knows someone who could find it out.
In other words, if there is easy money to be made from data aggregation, someone will work out a way to do so. We’ve already seen customer databases hacked (and subsequent fines — Sony had to pay out £250,000 following the hack of the Playstation network). So it isn’t that great a leap to suggest they might mine such information for deeper insights. The first examples of this have been to enable better targeting of email attacks but will inevitably become more sophisticated.
Such impending realities leave organisations with a challenge, namely how to protect something which has yet to release its value. A first step has to be to determine which data assets might be of most value, and how, now or in the future. It could be the most innocuous-seeming system — the spare parts database, say — that is actually of huge worth and therefore most open to exploitation.
So, are you already sitting on the data equivalent of an oil reserve and if so, should you be protecting it? Information assets may be currently under-exploited but we can be reasonably sure that things will not stay this way. Far better to have worked out where the value of information lies in advance, than find out in hindsight, when trying to solve a subsequent breach.
By Neil Cosser, Identity & Data Protection Manager for Africa at Gemalto