As data grows in value to businesses, cybercriminals actively monitor businesses to understand exactly what data they collect and store.
How much data do businesses now store? With more being created in the last two years than every previous year combined, it shouldn’t be surprising that it’s a lot.
Add on top of this the massive impact the adoption of IoT devices will have on the amount of data being produced, and this growth shows no signs of slowing down. Data is now intrinsic to understanding market trends and customer demand, and its value to a business and impact on bottom lines has grown.
Data’s value has grown so much in recent years that most businesses (85%) believe it is now worth the same as currency for solving business challenges. In particular, most are likely to use their data to improve customer experiences (70%) and monitor demand (56%). The data that organisations hold is becoming their unique selling point and, in an increasingly competitive market, any data that sets a business aside from its competitors is worth a great deal.
However, this data is only valuable if the integrity of the data is maintained. If it’s changed by a hacker, it could lead to companies making decisions based on inaccurate data, which could have catastrophic effects. Companies also need to ensure they can be held accountable to things like audits and data is an integral way of verifying issues. If the data is incorrect, it could lead to wrongful convictions, which can have serious damage on a company.
Consequently, hackers are constantly looking for ways to leverage this data for their own benefit, by selling it to competitors or manipulating it to disrupt a business. They can do this by changing sales figures to alter the value of a business’ stocks, for example. In light of data’s value, and the newly announced data protection laws in the UK, it is crucial that businesses understand how to not only manage it but also how to store it. Under these laws, any business handling citizen data will be liable for severe fines in the event of a data breach, and potentially lose sales due to damaged customer confidence.
Data is valuable to businesses, and hackers
As data grows in value to businesses, cybercriminals actively monitor businesses to understand exactly what data they collect and store. This is then analysed to predict what would make them the most money if it could be acquired. As cybercriminals develop this intelligence, businesses must make sure they know the true value of the data they hold as well.
Typically, the data which holds the most value is customer information, or personally identifiable information (PII). PII helps businesses personalise their offerings, and predict market trends. Through information such as dates of birth and payment details, customers and other affiliated individuals can be identified and their financial and other personal data compromised.
Alternatively, they could use data such as recent purchases to target customers with social engineering. With this information, a hacker could pose as a trusted organisation, such as a bank, to convince targets to part with further personal information. Businesses that do not encrypt PII held with them risk it being stolen, sold to competitors or exposed publicly. Despite this, our research found that over a third of businesses still do not encrypt valuable information such as customer (35%) or payment (32%) data.
Historically, businesses have relied on cybersecurity measures which protect their networks and perimeters to secure themselves. This failure to encrypt PII may stem from the majority (86%) of businesses being confident that the data their company holds would be secure in the event of a data breach. This indicates that there is a lack of understanding amongst businesses between securing their networks and securing their data.
The belief that a secure network equals secure data has led to confidence in measures such as static passwords, which restrict access to networks. However, while over two thirds (69%) of businesses are using static passwords to protect data, even the most complex passwords will not adequately protect data. Put simply: there’s no such thing as a safe password
Another consequence is that many businesses are prioritising their perimeter security, which includes measures such as firewalls, IDPS, AV, content filtering and anomaly detection. Much like passwords, perimeter security is largely ineffective against sophisticated cyberattacks. Despite this, three quarters (76%) of businesses have increased investment in perimeter security systems to protect themselves from external attackers.
With new data protection regulations rapidly approaching, cybersecurity requirements under law are set to change in the UK. Those businesses that have been pouring their investment into perimeter security are going to find that they have failed to do the most important thing: protect their data at its source. This is where the most risks are for businesses and where they need to focus their efforts in security. By failing to introduce fundamental security measures such as encryption and two factor authentication, businesses are effectively leaving their data unprotected and easy to steal or manipulate.
Investment in cybersecurity has clearly become more of a focus for businesses as they become aware of the value of the data it protects. If data is considered to be as important as currency, then it needs to be guarded as closely as the gold in Fort Knox. The gap in understanding of the correct cybersecurity solutions is now standing in the way of complying with data protection laws. Before long, the businesses that don’t improve their cybersecurity will face severe legal, financial and reputational consequences. Perimeter security doesn’t provide enough protection, and businesses must introduce the correct security protocols to secure the data at its source.