As software ate the world, data took over the workplace.

Then the pandemic broke the firewall, sending data flowing out to unsecured devices in hastily assembled home offices across the world. Now, as the workplace attempts to return to some semblance of normal, it seems likely that proprietary data has “gone wild” for good. Employees have experienced the benefits of working from home and want to stay there — at least some of the time. A current employment trends analysis shows 49% of workers prefer a hybrid home-office work balance.

Add the enterprise’s increased adoption of hybrid cloud models, a proliferation of end user devices at the edge of the networks, more frequent and sophisticated attacks … and all through this, companies need to keep data high-quality and accessible.

Is it an impossible task?

As digital becomes the default mode of doing business, theCUBE, SiliconANGLE Media’s livestreaming studio, reached out to cybersecurity specialists and market analysts for insights on how companies can best combat the onslaught of cybercrime to protect their data assets.

The rise of personal responsibility

As devices have become both more portable and easier to connect to online, they’ve also become more than work-only devices. Employers have had to accept that people weren’t going to carry multiple devices when personal and work tasks could be easily done on the same screen. The Proofpoint Inc. “2021 State of the Phish Report” found that 80% of workers check personal email and 61% of U.S. workers allow family or friends access to work devices.

61% of U.S. workers allow family or friends access to work devices. — “2021 State of the Phish Report” by Proofpoint

Adding holes to the company security stance, contract and freelance workers often bring their own devices to the job, logging in remotely via services such as Microsoft Inc.’s SharePoint or accessing company resources via links to Dropbox or Google Drive. Employees also increasingly choose to use unsecured personal computers, laptops, tablets and phones for work. This trend led to company policies such as BYOD (bring your own device), where employees can legitimately use their personal devices for work under certain restrictions.

The COVID-19 pandemic and associated rise of remote work signaled the final death knell to the illusion of a secure perimeter. Scrambling to adjust to the rapid changes demanded by the pandemic market, implementing new security measures was down on the list of priorities. A February 2021 survey of remote workers by anti-malware developer PC Matic Inc. found that 49% didn’t receive any kind of IT support services from their employer, 61.5% were working on personal devices and 91% hadn’t been provided with any kind of anti-virus software.

91% of remote workers don’t have employer-provided anti-virus software. — PC Matic “COVID-19: Cybersecurity in the Remote Workforce” survey

This lack of security is being paid for in cybercrime. According to IBM’s “Cost of a Data Breach Report 2020,” remote work added $137,000 to the cost of each event, with 76% of respondents reporting the increase in remote employees made it harder and more time-consuming to identify and contain breaches.

Welcome to data’s Wild West

The increase in remote work was significant, but it was only one factor playing into the pandemic’s impact on global business operations. The biggest change was the rapid increase in the adoption of cloud computing, with companies being “forced to go digital.” And unlike the pandemic-enforced all-remote workplace, this is a transformation that is going to stick.

“Data has become universal and critical to everyday business processes, and its importance is only accelerating,” Stijn ‘Stan’ Christiaens, founder and chief data citizen of international data intelligence company Collibra, told theCUBE.

Kathleen Brunner, president and chief executive officer of Acumen Analytics Inc., agrees. “There are many who believe [data] will end up on the balance sheet in the not too distant future,” she said.

So there are two simultaneous waves cresting at once: a rise in dependence on data and a rise in cybercriminal activity.

“In today’s world, every team — from sales to marketing to product — is data-driven, and everyone is a data citizen,” Christiaens stated. “There is a ton of value in data, but there is no value without risk.”

There is a ton of value in data, but there is no value without risk. — Stijn ‘Stan’ Christiaens, founder and chief data citizen of Collibra

According to WhatIs.com, a “data citizen” is an employee with access to proprietary information. But, as Christiaens pointed out, when every company is a digital company, then every employee is responsible for data. This means company-wide data security policies must be put into place and upheld.

“Security awareness and training must be a priority. We don’t leave the office front door unlocked; we need to make sure we keep the cyber doors locked as well,” Brunner stated.

Data literacy is the first step to building a data culture

Personal data responsibility starts with data literacy, according to Christiaens.

“Organizations that prioritize investing in data literacy build a foundation for understanding around data that means [they] will not only improve data protection, but also be better equipped to build trust in [their] data and innovate based on insights from [their] data,” he stated.

Data can be directly compared to money in that it is essential for everyone in an organization to track and protect it.

“The primary defense against phishing scams is people,” Micki Boland, cloud security architect and evangelist for cybersecurity solutions company Check Point Software Technologies Ltd., told theCUBE.

Boland advocates continuous and repetitive education on cybercrime techniques and believes that employees should take a zero-trust approach.

“Generally, it is a good idea for people to be highly discerning and consider anything digitally coming to them is untrusted regardless of how it appears,” she said.

The primary defense against phishing scams is people! — Micki Boland, cloud security architect and evangelist at Check Point Software Technologies Ltd.

This company-wide awareness of data as an asset is known as developing a data culture, and it is incredibly important, according to Bryan Offutt, principal at Index Ventures (UK) LLP.

“Whether you look at media, advertising, commerce or transportation, the biggest disrupter of the economy over the past 20 years has been the ability to effectively leverage data. Those who have effectively leveraged this power have grown to massive scale. As such, developing a data culture is not just important, and it’s existential if an organization wants to survive in the modern digital economy,” he told theCUBE.

Christiaens agrees: “In today’s world, businesses with a strong data culture are significantly ahead of everyone else. It’s an important competitive differentiator, and that will only increase.”

You can’t trust people!

Unfortunately, regardless of education and awareness, people aren’t an effective barrier against the rising tide of cybercrime. Reports of data breaches and exposed records in the U.S. rose from 157 in 2005 to peak at 1,632 in 2017. Since then cybercriminals have gone for quality rather than quantity. So while there were “only” 1001 breaches reported in 2020, the cost was $8.64 million on average per breach. Strikingly, 9 out of 10 attacks can be traced back to employee error, a figure that has remained fairly stable over nearly a decade of cybersecurity reporting.

9 out of 10 cyberattacks are due to employee error. — Tessian Ltd. “The Psychology of Human Error” report

One issue is the complexity and sophistication of cyber attacks, a factor that makes it “an unfair expectation” for employee education alone to be effective, according to Offutt. Instead, the best solution is for companies to provide tooling that “makes it easy for users to make the right choice,” he said, citing Chrome’s built-in password manager as a simple but effective example.

Boland remains a strong advocate of instilling a culture where employees take personal responsibility to protect corporate data but places equal importance on a security stance that includes use-identity-based, least permission access to sensitive data, and technical controls such as data encryption and isolation of the most critical assets.

Smart vs smarter: the duality of AI in cybersecurity

Just as artificial intelligence is an essential ingredient of any successful data strategy, so it is equally as important when it comes to security solutions. IBM’s “Cost of a Data Breach Report 2020,” found that companies with fully deployed security automation saved an average of $3.58 million in breach costs versus companies with no automation.

Automated threat detection and response can react and prevent attacks at a speed that human security analysts can’t hope to keep up with. It can also be trained to seek out specific identifiers and flag or remove them.

“ML provides anomaly detection, threat intelligence and [in] identifying malware variants is increasing speed and agility for blue teams (defenders) and [security operations center] analysts in rapidly identifying threats and malware and proactively mitigating and containing these malicious elements,” Boland said.

One example is using machine learning to track malware code. Because cybercriminals tend to reuse code, ML can be trained on known malware and then search for snippets of matching code to rapidly identify new threats.

Spam and phishing detection has always been a technological cat and mouse game. — Bryan Offutt, principal at Index Ventures

But AI can be a double-edged sword. As with all technology, it can as easily be used for bad as good, and every advance in cybersecurity is matched by the criminals. An example would be advancements in generative language models. While it is impressive and ultimately extremely useful to have bots like OpenAI’s GPT-3 that can respond fluidly in text, there are security dangers in having technology that is indistinguishable from a human.

“Spam and phishing detection has always been a technological cat-and-mouse game, and this is no exception,” Offutt stated when asked about the rising sophistication of attacks. “We will just need to be sure to continue to develop security technologies to keep up with the threats through a collaborative effort between the AI and security communities.”

Does open source help or hinder cybercrime?

While the rise in cloud adoption has boosted the profile of open source, it has also boosted the number of attacks taking advantage of vulnerabilities.

“This exponential growth of OSS projects has increased the potential attack surface and made auditing code a greater challenge,” Boland stated, pointing to the now-infamous SolarWinds breach as an example and warned against an uptick in “poisoning the well” attacks caused by malicious code brought in through third-party open-source components of applications.

The threat is acute: 95% of marketing technology open-source codebases contain vulnerabilities, according to audits conducted as part of the Synopsys “2021 Open Source Security and Risk Analysis” report. And while marketing may not be a high-security activity, 67% of healthcare and 60% of fintech sector open-source codebases also contained vulnerabilities.

91% of open-source codebases contain abandoned components. — Synopsis “2021 Open Source Security and Risk Analysis” report

On the positive side, any malicious code introduced into open source won’t stay long thanks to the active, and proactive, ecosystems that are the mark of open-source projects.

“Open-source software is a huge net positive for security,” Offutt stated. “More eyes on the software means a higher likelihood of vulnerabilities being caught before than can be exploited by bad actors.”

However, Offutt doesn’t take into account that code from abandoned open-source projects is still in active use. The Synopsis audit found that “an alarming 91% of the codebases contained open-source dependencies that had no development activity in the last two years — meaning no code improvements and no security fixes.”

Combining employee awareness with intelligent security solutions

Digital companies reliant on data for their revenue streams are walking a knife-edge when it comes to security. Data must be accessible, or its value cannot be extracted. Employee data citizens have the right to access data, but they also have the responsibility to make sure the data they handle is correct and protected.

A proper data security strategy should take into account all these factors. It must entrust data citizens to access data in order to ask the questions and find answers that will build a better more efficient company, but it must also understand that humans are fallible and that cybercriminals are ruthless and always working to identify and exploit any weaknesses in a company’s security shield.

A data-centric culture where employees understand the value of the data they handle and receive continual and comprehensive cybersecurity education joined with sophisticated, smart cybersecurity tools is the best defense a company can take.

“A strong data culture means that teams are able to move fast, quickly make important decisions based on data and trust that the data is accurate,” Christiaens stated. “Data culture ultimately impacts every aspect of the business, from everyday decisions to your ability to innovate with technology like AI and machine learning.”

Image: Andrii Yalanskyi