columns Sixteen years ago, British mathematician Cliff Humby came up with the adage “data is the new oil.”
Instead of something you need to manage, humble argumentative data can be mined, mined, refined, produced, and sold—the core activities of 21st century IT. However, while data has become a source of infinite reward, its intrinsic value is still difficult to determine.
This is a problem, because what cannot be valued cannot be secured. A decade ago, insurers began to consider introducing policies to insure data against loss. But in the absence of any methodology for evaluating that data, the idea quickly landed in the “too hard” basket.
Or, more accurately, you can access the task lists of IT departments that value data by asking the company how long they can live without it. These accounts led to setting recovery point and recovery time goals, then paying what it takes to create (and test regularly) backups that meet those deadlines to restore access to the data and systems you use.
This strategy, while sound, did not anticipate ransomware.
Cybercriminals have learned how to exploit every available attack surface to make hard-to-value but extremely vital corporate data impossible to use. Ransomware transforms data On site In coded noise – the equivalent of offering the kidnapper his hostage, while laughing at the powerlessness of the authorities.
Companies are now facing not only data loss but data theft. Not only is the data gone — it has been “liberated” by the threat actor who has chosen to share the bits of that data that are most harmful to your business, customers, and brand.
Do you still have a job? If so, how many lawsuits have been brought by customers who themselves were harmed by your inability to keep private data private? Who would want to do business with you in the future? And can you again trust any of your systems — or your employees?
Sony has barely escaped the reputational damage of a serious 2014 attack – and it’s not clear if any other business would do much better in similar circumstances.
Arguably the best strategy for avoiding devastating compensation costs is to avoid storing any sensitive data at all. Allow your customers to keep their data private, and ask them for (limited) permission to use it. These techniques exist – but they are rarely used, because such an approach directly interferes with the profits that can be reaped from endless data analytics. Short-term gains open the door to long-term losses.
We’ll be stuck in the horns of this dilemma until we learn – the hard way – how to collect, save, and use data without getting burned. ®