MACH X | April 28–29, Toronto | Register Now

5 Conversations Business and Tech Teams Should Have About Enterprise Data Security

Jun 22 2023 - By Member

During the last year, we’ve seen waves of data breaches and security incidents, with news reports about customer data lost or stolen and digital ransom becoming a common issue for businesses to deal with.

Global cyberattacks increased by 38% in 2022, compared to 2021 as reported by the 2023 research report from Checkpoint. 83% of organizations had more than one data breach in 2022 (IBM, Cost of a Data Breach Report 2022).

As a result, decision-makers have become much more aware of the threats to their data, driving change to how security needs to integrate with business operations in the future. According to a recent report from Trelix, 96% of CISOs say they need better solutions for their organizations to be more cyber-resilient. (Trellix - The mind of the CISO, 2023). Companies are racing to find the best ways to secure their enterprise data to avoid being a victim of the next digital train robbery.

In the past, security was often seen as a necessary evil. In the modern age, however, security has become a critical component of business success, ensuring the protection of valuable data and fostering trust with customers.

As digitalization progresses, businesses must adapt and take smart measures to mitigate risks and enhance security. But instead of treating these as opposing forces, they must work in synergy to enable growth and success.

Prepare yourself for important discussions between business leaders and technology leaders with our guidance. We’ve compiled a list of five crucial security challenges that both teams should address. We’ve even included questions and talking points to ensure that your data is properly organized, flexible, secure, available, and future-proof.

Outdated Legacy SoftwareIt's not uncommon for businesses to cling to their tried-and-true technologies, even if they're outdated and no longer supported by the vendor. Sometimes, these legacy tools are so ingrained in the company's processes that it's hard to imagine doing without them. However, the risks of keeping such technologies around can be significant. The now-defunct Accellion File Transfer Application, for example, has been linked to data breaches in various industries, including banking, grocery, energy, and education. Even though the software was past its end-of-life stage, many companies still depended on it, leaving them vulnerable to cyber attacks.

The older software systems were not designed to handle the numerous applications, data, and customer interactions that exist today. To accommodate new processes, companies had to heavily modify their existing systems, creating a complex web of dependencies that makes upgrading difficult. This leads to companies staying with outdated software versions, which can have serious consequences. It's like a train with holes in the side, held together with duct tape patches, allowing entry far beyond what was intended.

Points for business leaders to raise

  • What data does our team need to keep the business running? Where does it come from, what features and services does it power, and what channels does it serve?
  • What is the security status of the platforms handling this data, and what critical features and services are relying on outdated platforms?
  • Do we have a prioritized security debt backlog that shows the risk value and likely impact of each issue?

Unnecessary AccessAccording to Verizon’s 2023 Data Breach Investigations Report, 61% of breaches involved stolen or used credentials - this is up by 24% compared to last year's report and shows the urgent need to negate this security threat.

While cybersecurity training and awareness are crucial, mistakes are bound to happen. Hence, improving technology should be the primary focus. A practical approach involves combining efforts to build a fully security-savvy workforce with a technology-based strategy that prepares for worst-case scenarios.

Compartmentalized SecurityProtecting sensitive data from theft and misuse is crucial for businesses. A compartmentalized security approach can limit access to essential data and services to only those employees and contractors who need them. This approach reduces the risk of stolen credentials being used for malicious purposes by limiting their scope of use.

MACH tools are an excellent option for implementing this level of granular security. The "M" in MACH stands for microservices, which means that MACH tools are designed to break up applications into smaller services that can be compartmentalized. This design can be used to define access rules and limit unauthorized data access. Many MACH vendors also offer additional security services, such as network and identity management.

Points for business leaders to raise

  • What data does each individual on the team, including contractors, need to access to do their job?
  • Do these access needs show a pattern that could be used to map security zones?

  • What are the current access management tools in use, how are they segmenting access currently, and are they capable of further granularity?

Scalable PracticesWith the average enterprise using 1400+ cloud applications and services, businesses are dealing with an increasing distribution of data across multiple platforms all using a variety of APIs to shuttle information back and forth.

The older these APIs are, the less they are designed to work with minimal levels of authentication to hand over data, making them an attractive entry point for a breach. Additionally, the large number of APIs being used throughout the enterprise tech stack makes it nearly impossible to assign custom access rules to each one, meaning companies need an API security solution that is repeatable in order to scale safely.

Security by DesignSecure by Design software is built with multiple safety measures from the ground up, eliminating the need for additional security layers. These measures may include separating the code between the client and server, tokenizing sensitive data, and employing extra levels of authentication for high-risk actions.

MACH tools, designed with an API-first approach, offer a unique set of benefits and challenges to a company's security strategy. While they introduce more APIs, they're also built with a focus on API-security, providing standardization and natural compartmentalization of data for easier management at scale. Although specific security practices will vary, MACH tools can enhance overall security efforts.

Points for business leaders to raise

  • Do we offer mandatory security awareness training for developers, DevOps engineers & Product Owners?
  • Who is in charge of “Security-by-Design” in our company? How busy are they, what access rights do they have and when are they involved?
  • Do we have security baked into our software development process already, and, if yes, are we compliant with ISO 27000 and aligned with SDLC design principles?
  • Do our teams practice DevSecOps and is continuous security a principle we follow?

Recovery and ResponseOn average, a cyber incident interrupts business for 18 hours and costs $590,000 according to a McAfee report on the hidden cost of cybercrime. A separate survey from IBM hints that these numbers could be on the rise, with 76% and 70% of respondents saying that pandemic-related remote working would increase the time to identify and the cost of a data breach, respectively.

Transparent and Automated Digital Hygiene

Having a clear picture of where data lives is key to recovering it. Unfortunately, many organizations don’t have full visibility into the pockets of data stored across their disparate legacy technologies.

With data used in a variety of critical ways across departments, creating that clear data map is a collaborative effort. Input is needed from all teams to create holistic strategies to monitor and back up data, reduce duplication, and introduce intelligent monitoring tools such as those for threat detection and detailed auditing.

Points for business leaders to raise

  • What is our current data lifecycle - where does it come from, where is it stored, how is it backed up, and when can it be retired?
  • What types of security monitoring are already in place, how will our team be notified if there is a breach, and what are the actions we should take if that happens?
  • How could we automate the most time-consuming, security related tasks?

CapacityNearly 3 out of 4 IT leaders believe that there is a cyber skills gap in their teams, and 65% agree that this gap has a negative impact on the team’s effectiveness. But the pool of experts can not serve this demand any time soon.

Global leaders indicate that:

• 60% struggle to recruit cybersecurity talent

• 52% struggle to retain qualified people

• 67% agree that the shortage of qualified cybersecurity candidates creates additional risks for their organizations (Fortinet, 2022 Cybersecurity Skills Gap).The skills shortage is putting companies at risk, with misconfiguration being the fastest growing root cause of data breaches over the past five years.

Security-as-a-ServiceSoftware-as-a-Service (SaaS) providers take responsibility for platform maintenance and updates, as well as providing security expertise to enterprise-level clients. This security management extends to API levels, including network security design, identity and access management, continuous monitoring, vulnerability scanning, and data loss prevention.

By trusting these tasks to SaaS providers, businesses with limited cloud technology experience reduce the risk of misconfiguration errors. In addition, they can benefit from the knowledge of multiple security experts within the network. MACH vendors naturally provide these services, which removes the burden of staying updated on security from their clients. Some businesses recognize this benefit and choose public cloud and MACH SaaS solutions for that reason.

Points for business leaders to raise

  • In our current set up, what security responsibilities lie with business users, IT teams, contractors, software providers, etc?
  • How confident are we in the ability of these parties to uphold their responsibilities? Why?
  • Which areas of security would ideally be outsourced, and which is important to keep in-house?
  • Did we ever consider selecting SaaS solutions to “outsource” security and risk management?

Interested in learning more about a MACH approach to security?

Software built around MACH principles (Microservies, API-first, Cloud-native, Headless) is designed for modern business. Security for mobile, cloud, integrations, and data exchange are integral components of these solutions.

If you want to discuss your unique security needs in relation to MACH principles, we can connect you with a MACH Alliance Ambassador. Our Ambassadors, who are experts in business and technology with real-world MACH experience, include industry leaders from Sharper Image, Bed Bath & Beyond, PUMA, and Dawn Foods.

Get in touch with us at info@machalliance.org to be matched with the MACH Alliance Ambassador most relevant to your business.

Author: Markus Tillman, Head of the Growth Council at MACH Alliance and EVP, Mindcurv