Why data is the new uranium
By Nick Ellsmore, Senior Vice President, Worldwide Consulting and Professional Services, Trustwave
Tuesday, 07 March, 2023
For years, the message was that ‘data is the new oil’. This metaphorical comparison was rooted in the idea that, like oil, data is a coveted resource that can power the modern world.
In response, organisations the world over stockpiled data and ‘big data’ became the buzzword of the moment. Even if the data didn’t have any immediate use or value, like oil shale fields for most of the 20th century, companies held on to the asset just in case.
Unfortunately, these organisations are now realising that these data stockpiles are a lot less like oil than they are like uranium: hard to extract value from, risky and expensive to store, and a significant target for malicious actors.
Yes, like uranium, data can be a valuable resource that can drive innovation and create new business opportunities. Some things are simply impossible without it. However, the consequences of its mismanagement can be severe, and these consequences are now starting to become clear.
A collaborative effort
In 2022, there were significant data breaches in Australia, including some that involved sensitive personal information and health data. These were by no means the first; however, the scale and the proximity of two major breaches late in the year shocked the public out of their apathy. Community outrage galvanised federal and state governments, who rapidly determined that the voters wanted an example made, and committed to do so.
While a superficially simple declaration, the move to hold companies responsible for the cost of replacing compromised personal identity documents fundamentally changed the economics of ‘big data’ for many businesses. A ‘cost if breached’ has now been put on each data record: every passport, licence and, extending to the corporate realm, every credit card number.
For the vast majority of organisations, this simple move will have completely up-ended the cost–benefit analysis for storing this data. For any organisation that has not yet run the numbers, it is absolutely imperative to do so.
In this new environment, the best project almost any business can do is to back-burn their data, getting rid of, or reducing, the amount of sensitive data they keep. Being intentional about where the data is stored, and how it is protected, is similarly critical. The price organisations will pay for a breached passport number does not vary based on whether it was taken from Dave’s lost USB drive or from the highest of security systems.
The good news is that we’ve seen this before: the payment card industry data security standard (PCI DSS) v1 was released almost 20 years ago, in 2004, setting out the requirements companies must meet when they accept, process, store or transmit credit card information. No longer was it okay to blindly store credit card data on random business systems and the logical response from most businesses was to get out of the credit card data storage business and outsource to specialists.
PCI DSS is successful because the main credit card brands (Visa, Mastercard, American Express, Discover and JCB) came together and supported it consistently. It is also successful because of its clarity and lack of wiggle room: there is limited opportunity to ‘risk assess’ a way out of a control obligation. There needs to be a similar standard for all sensitive personal data held by businesses.
While a significant portion of recent breaches have stemmed from third parties, the irony is that third parties are also likely to be the solution here. Smaller organisations will not have the resources to manage their data in-house. There are not a lot of small businesses with a few kilos of uranium out the back.
The answer may be an emergence of a small number of third-party service providers that are tasked with holding, managing and protecting data using secure processes such as tokenisation. This would remove the need for businesses to keep the sensitive data themselves and have them use a secure, third-party PII data storage service. Economies of scale would mean that these organisations could protect the data effectively and a rigorous audit and assurance regime would provide checks and balances.
From oil to uranium
For so long, businesses have been told how valuable their data is and how customer-centric companies depend on it to gain a competitive edge. This is no longer the case. The cost–benefit of storing data has changed and it’s time to think of it differently. Even if organisations want to maintain access to it, they shouldn’t necessarily be storing it themselves.
Collaboration between the federal government and industry is necessary to implement a PCI DSS-like security standard that can be applied to all sensitive data. The government needs to work with industry to enforce a baseline for businesses to effectively manage their data, keep it secure and prevent it from landing in the wrong hands. From there, a marketplace should emerge of government-endorsed or certified providers that can act as a secure service to hold that sensitive data and intermediate access.
Thinking of data as being as valuable as uranium, not oil, requires a complete shift in mindset. While businesses may place great value on the data they collect about their customers, it’s worth asking whether they really need it. And if not, what should they do with it?
The rational answer is to get rid of it, safely.
The need for mental health support within the cybersecurity profession has been evident for quite...
Collaborating with industry stakeholders to devise a ransomware reporting obligation is a key...
With the ever-increasing speed and sophistication of cyber attacks, we need speed, scale and...