Data security without a lockbox

June 15, 2018

This Washington Post story about a Navy contractor hacked by the Chinese government should send shivers down the spines of cybersecurity chiefs across the U.S. It’s safe to say the Navy won’t be working with that unnamed, but very embarrassed, contractor in the future.
While the Navy didn’t want to give too many details, we do know that the data breach included “614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.”

This story highlights the current conundrum for companies in the data access space: We want our data to be more accessible, more dynamic and more useful in everyday operations and maintenance regimes. On the other hand, we don’t want free data transfer to turn into a feeding frenzy for hackers. If we have data access solutions “on the Edge” or that involve frequent transfers of terabytes of data across geographic locations, we have to ensure there is encryption “on the wire” as well as at rest, and install safeguards that deter hackers from exploring the “crown-jewel data sets” that can make or break your company.

While most companies employ a horde of engineers to scope out the latest firewall and encryption technologies, the key to a solution might lie more in company culture than in the code (and as we all know, hackers are often a few steps ahead of even the best security measures). If every data “lockbox” is installed on the system, there is the danger of slowing data transfer speeds to a crawl or putting up obstacles that get in the way of data insights.

Here are five ideas to keep everybody in the company on their toes:

  1. Offer a cash bonus each quarter to the person on your team who finds a vulnerability that wasn’t seen before. Vigilance is everything… by the time an employee is reporting a breach, it’s too late.
  2. Organize a “hack-a-thon,” in which engineers are challenged to break the system or gain access to otherwise locked data.
  3. Have a data breach plan done beforehand… in writing. That’s right, if it’s not on paper, it’s only a memory of a meeting three months ago. A good data breach plan will have step-by-step protocols: what to shut down, for how long, and what diagnostics to run. Beyond the technical side, executives and customer- and media-facing employees need to have a consistent message about what happened and what’s being done to fix it.
  4. Don’t assume you’re not a target because you’re not Yahoo, Target or Sony. It’s true that state actors often are looking at the biggest companies that have the largest data stores to exploit. But if there’s one thing that’s become clear in the last decade, it’s that there are well-funded worldwide efforts by intelligence agencies (the U.S. included) to find usable data assets, no matter what it takes to get them. Even startups will be on the radar.
  5. Design products with a “maximum security, minimum locked data” mindset. There should be a designated decision-maker within your organization that is balancing this see-saw every day. There may be an irresistible urge to put a steel curtain down (a.k.a. air-gapped boxes in a server room) on your data. That’s not the world we live in… with data freedom comes risk!