Cybersecurity expert calls for shift to data-centric defence

Security concerns have intensified as companies face the challenge of securing their data against ever-evolving cyber threats which bypass traditional perimeter defence systems.

Simon Pamplin, Chief Technology Officer at Certes, highlights a growing issue in cybersecurity, stressing the inadequacy of outdated security models that focus solely on defending the perimeter. 

Pamplin notes that over 84% of breaches now see attackers using stolen credentials to gain undetected access, which raises critical questions about current defence strategies. "When unauthorised access is inevitable, the only real defence is to ensure that sensitive data remains protected, inaccessible, and ultimately useless to attackers," he says.

The financial implications of cyberattacks have surged, with average ransom payments escalating to $2 million from $400,000 in just one year. Beyond ransom demands, recovery costs have also soared to an average of $2.73 million. There's further concern over the reputational damage and potential personal liabilities for executives failing to protect sensitive data.

Pamplin stresses the wider business impact of such breaches, which he describes as threatening "the very foundation of a business." Regulatory penalties under frameworks like GDPR, DORA, and NIS2 place significant financial burdens on companies with compliance failures, particularly hefty for financial institutions, with fines reaching up to 2% of global revenue. 

"Reputational damage can drive customers away overnight, destroying years of brand trust," he notes, while reminding that operational downtimes "cost millions in lost revenue." Pamplin also alludes to the personal risks executives face, emphasising the accountability demanded by regulatory bodies.

Criticism of traditional security models is backed by the fact that modern cyber threats have evolved beyond these methods. Pamplin explains that once attackers are inside, they can manoeuvre within the network and exfiltrate data before companies even notice a breach, by which point significant damage is done. "The failure lies in assuming that protecting the perimeter is enough," he states.

Pamplin advocates for a shift towards data-centric security. This strategy accepts that breaches may occur and prioritises securing the data itself over merely guarding the network perimeter. He describes a comprehensive approach combining proactive data security and regulatory compliance with rapid recovery capabilities as essential.

He recognises that creating an "ultimate defence" might seem unattainable to some; nevertheless, he assures that "a multi-layered defence system that neutralises cyber threats before they cause real harm is achievable." According to Pamplin, such a system enables businesses to continue operating post-breach, maintain compliance, and mitigate the financial and reputational impacts of attacks.

"Ransomware is not just a threat to a business' technical operations – it is a financial, operational, and reputational crisis waiting to happen," Pamplin warns. He urges organisations to "secure their data, comply with regulatory mandates, and protect themselves from the growing risk of executive liability."

Pamplin concludes that relying on network-based defences is insufficient. He asserts that "it's about making the data behind them untouchable," and encourages companies to move beyond outdated models to prioritise data protection. He suggests organisations that adapt to this approach will lead the way in resilience in the digital landscape.

"Now is the time to move beyond outdated security models and invest in a strategy that protects what truly matters - the data," he concludes.