By Yoran Sirkis, CEO of Covertix
So, one of the world’s largest law firms was hacked, and the purloined documents reveal the ins and outs of major world leaders’ and their friends’ and relatives’ financial transactions. Hmmm…a major hack of data that was supposedly protected by firewalls, threat detection systems, and a host of other cybersecurity solutions, etc.
Call me cynical, but is anyone really surprised this happened? Admittedly, this particular case has some unique aspects – the information being revealed is now being used as part of federal investigations regarding money laundering and tax evasion. The fact that many transactions were actually legal but unethical is also instigating the wrath of law-abiding, tax paying citizens.
Reputations are being ruined, privacy has disintegrated, and a lot of people are losing a lot of money – except, of course, for the other lawyers, who have started to sue everybody.
Check out our very nice graphic, courtesy of our friends at The RedCap Group. It’s just a small sample of data breaches over the past year and the losses that have been assigned.
This isn’t going to stop. If anything, it is going to get worse. No systems are perfect; no system is impermeable. We’re all going to get hacked. It’s a matter of when, not if, and the level of losses sustained.
What needs to change is our approach. The current “cybersecurity paradigm,” where we protect the channels isn’t enough. We must start focusing on the data itself.
Data, itself, is where the intellectual property currency lies. Your company is in merger discussions. The company itself is highly secure, with every possible precaution in place. As a 1,000-person company, your security department’s budget is more than a few million dollars a year. However, your consulting law firm has only 150 employees and the related security budget is proportional. Who’s more likely to be the conduit by which the merger data can be stolen?
If the company has data-centric security, that merger information would be protected wherever it travels. The data-centric paradigm focuses on creating and enforcing policies for each individual document, protecting it wherever it travels.
How do you protect your data? How is your data encrypted? What kinds of access control and policies are in place to make sure that the data itself is protected from unauthorized users? Authorized users but from unauthorized locations? From unauthorized device?