SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
For businesses, data is the new currency, but it’s vulnerable
Fri, 3rd Aug 2018
FYI, this story is more than a year old

With more data being created in the last two years than all previous years combined, it's no surprise that businesses are now storing more data than ever before.

To add to this, the adoption of IoT devices will have a massive impact on the amount of data being produced. The value data holds for a business and its impact on the bottom line has grown, as data now holds the key to understanding market trends and customer demand.

The value of data has increased so much in recent years that most businesses (85%) believe it now holds the same value as currency for solving business challenges. The data that organisations hold is becoming their unique selling point and, in an increasingly competitive market, any data that sets a business aside from its competitors is worth a great deal.

However, this data is only valuable if the integrity of the data is maintained. If it's changed by a hacker, it could lead to companies making decisions based on inaccurate data, which could have catastrophic effects.

Consequently, hackers are constantly looking for ways to leverage this data for their own benefit, by selling it to competitors or manipulating it to disrupt a business.  With almost half (45%) of Australian organisations reporting that their entire network can be accessed by unauthorised users, there are significant risks ahead.

Data is valuable to businesses, and hackers

As data grows in value to businesses, cybercriminals actively monitor businesses to understand exactly what data they collect and store. This is then analysed to predict what would make them the most money if it could be acquired. As cybercriminals develop this intelligence, businesses must make sure they know the true value of the data they hold as well.

Typically, the data which holds the most value is customer information, or personally identifiable information (PII). PII helps businesses personalise their offerings, and predict market trends. Through information such as dates of birth and payment details, customers and other affiliated individuals can be identified and their financial and other personal data compromised.

Alternatively, they could use data such as recent purchases to target customers with social engineering. With this information, a hacker could pose as a trusted organisation, such as a bank, to convince targets to part with further personal information.

Businesses that do not encrypt PII held with them risk it being stolen, sold to competitors or exposed publicly. Despite this, our research found that over a third of Australian organisations still do not encrypt valuable data such as customer (33%) or payment (44%) information.

Historically, businesses have relied on cybersecurity measures which protect their networks and perimeters to secure themselves. This failure to encrypt PII may stem from the reason that the vast majority (99%) of Australian organisations considering their perimeter security systems effective at keeping unauthorised users out of the network.

This indicates that there is a lack of understanding of the difference between securing the network and securing data.

Misplaced priorities

With new data protection regulations implemented earlier this year, cybersecurity requirements under law have changed drastically in the Australian market. Businesses that have been pouring their investment into perimeter security have found that they have failed to do the most important thing: protect their data at its source.

This is where the most risks are for businesses and where they need to focus their efforts on security. By failing to introduce fundamental security measures such as encryption and two-factor authentication, businesses are effectively leaving their data unprotected and easy to steal or manipulate.

The gap in understanding of the most effective cybersecurity solutions is preventing businesses from complying with data protection laws. Since the introduction of the Notifiable Data Breach legislation in February, businesses that don't improve their cybersecurity are facing severe legal, financial and reputational consequences.

Perimeter security does not provide enough protection against threats, and businesses must introduce the correct security protocols in order to secure data at its source and keep valuable information safe.