16 Feb Tackling the data storage challenge
Data security can make or break an organisation, says Philip Ingram, MBE. And as data grows at a phenomenal rate, so too do the risks involved.
When you start to talk about data and data growth over the years, the numbers are staggering, they are so large that they are virtually impossible to imagine and put into context. Dean Armstrong QC, the head of Chambers with the 36 Group and one of the world’s leading legal experts in all things data, cyber and security, is often quoted as saying “Data is the new oil”.
And as the new oil of the digital economy, data presents a hugely untapped potential, a valuable asset that impacts on everything from the smooth running of a city to the basic infrastructure of local companies. So it stands to reason that that data must be protected for it to fulfil its potential – and that means looking at data storage more closely and aligning it with protection needs.
Data is increasingly under threat. According to a white paper from Data Centre Intelligence Group (DCIG), called Mitigating Ransomware through Active Archive Solutions, there has been a 600% increase in malicious emails since the global pandemic hit and the average mid-sized corporation will pay out an average of $170,404. Despite this, 35% of encrypted data is never recovered after the ransom has been paid.
Checkpoint Security’s Biggest Cyber Security Challenges in 2021 report says: “Ransomware has been a growing threat in recent years. A number of high-profile attacks demonstrated to cybercriminals that ransomware was profitable, driving a rapid increase in cybercrime groups operating this malware. On average, ransomware claims a new victim every ten seconds worldwide, and ransomware costs businesses around $20 billion in 2020, an increase of 75% over the previous year.”
Sizing up the issue
Looking at the scale of the problem, according to Seagate (UK), by 2025 there will be 175 zettabytes of data in the global datasphere. The World Economic forum reckoned “the amount of data in the world was estimated to be 44 zettabytes at the dawn of 2020.” That’s not only a huge number but also a huge growth rate, an almost four-fold increase in just five years.
For those like me who couldn’t picture a zettabyte, a zettabyte is a measure of storage capacity and is 2 to the 70th power bytes, also expressed as 1021 (1,000,000,000,000,000,000,000 bytes). One Zettabyte is approximately equal to a thousand Exabytes, a billion Terabytes, or a trillion Gigabytes. If you’re old enough to cast your mind back several decades ago to when 1mb was typical, you’ll appreciate how the need for storage has exploded exponentially.
Threat growth has been quantified by Internet World Stats: “As of July 2020, there were over 4.8 billion internet users in the world. In other words, nearly 60% of all the people on the planet at that time were digitally active. The internet penetration rates in North America and Europe were around 90%. But the largest group of people on the web came from Asia, comprising just over 50% of overall traffic. Africa, the planet’s second-most-populous continent, has been exhibiting the fastest growth, with a growth rate of 12,441% from 2000 to 2020.” The more users, the greater the number of threat actors there will be.
The challenge of data security
Data is valuable and under increasing threat, therefore, data storage must be designed to mitigate that threat.
According to the UK’s National Cyber Security Centre (NCSC) it is critical to protect data where it is most vulnerable. This seems logical but means that data needs to be protected from unauthorised access, modification, or deletion whilst it is being created, transmitted, at rest (stored locally or in the cloud) and at the end of its life (i.e. in records.)
Often today some or all the processes involved in carrying out these functions will be outside the control of the owner of the data.
The adage ‘the cloud is just someone else’s computer’ stands firm. But even if you don’t use cloud storage, email transmission for example goes via the email providers’ servers, apps on smart devices collect and store huge amounts of data from that smart device and user on the app provider’s computers. There really is no escaping the issue.
The single biggest issue for any organisation is mapping what data goes where, how and where could it be intercepted and where is it stored?
When it comes to data protection, unless you know who is creating it, where and how it goes – and not just where it is being stored, but where backups are being stored – then you can’t begin to protect it. It is, after all, most vulnerable at its least protected point. Next, you identify the potential risks to that data and your appetite to accept those risks.
This means knowing what data is more important to you and your business and why, for example, a spreadsheet with a list of possible locations for a corporate team building event is unlikely to be as important as a complete customer database. It is surprising how many organisations protect business critical data to the same standards as valueless data, not only is that a waste of resources but it suggests poor data understanding and unnecessary expenditure.
Know your risks
The old physical security saying: ‘if there is zero risk, why put a lock on the door’, holds true for data too. So, understanding the risk is critical. Threats break into two categories: external and internal.
External threats include, hackers and cybercriminals, competitors, terrorists and increasingly, even for SMEs, Nation States. Internal threats include careless or poorly trained staff and disgruntled employees who can easily become malicious insiders. However, most insider compromises are accidental in nature. Finally, you mustn’t rule out power outages, fire, flood, and other natural disasters.
The Canadian data protection company, Hypertec Direct 2021’s Data Storage report, sums up data storage vulnerabilities and security pointers when they say vulnerabilities include a “lack of encryption, cloud storage as the cloud adds complexity to storage environments, incomplete data destruction as it may leave behind traces that could allow unauthorised individuals to recover that information and finally a lack of physical security.”
The report goes on to highlight the key points to ensure good security. These are: “Data storage security policies, written policies specifying the appropriate levels of security for the different types of data that it has. Access control and if appropriate multi factor authentication as well as the appropriate encryption, both while in transit and saved in the storage systems both live and archived. Additional data loss prevention (DLP) measures and solutions combined with strong endpoint security, redundancy and backup and recovery procedures.”
Data storage will remain an increasingly complex challenge in our increasingly datacentric world and it is important that companies, organisations, and individuals develop the same awareness for its protection, as they have for their own physical security.