If you want to make a cybersecurity professional uncomfortable, simply utter these two word: 'Data exfiltration.' Why will this term garner an emotional response? Because data exfiltration is a worst-case outcome of a cyber-attack - think Target, the NY Times, Google Aurora, Titan Rain, etc. Simply stated, 'data exfiltration' is a quasi-military term used to describe the theft of sensitive data like credit card numbers, health care records, manufacturing processes, or classified military plans.
Most enterprises now recognize the risks associated with data exfiltration and are now reacting with new types of security technologies, granular network segmentation, and tighter access controls. Good start but what about simply monitoring sensitive data access activities? You know, who accesses the data, how often, what they do, etc.?
This sounds logical so you'd think that most enterprises would constantly be watching sensitive data access continually but this is not the case. According to ESG research, only 29% of enterprises monitor sensitive data access on a continuous basis. The other 71% of large organizations review sensitive data access on a weekly, monthly, quarterly, or as-needed basis if they do so at all.
When I first looked at this data, I was shocked. You can't walk into a building these days without noticing a surveillance camera, but many organizations remain blissfully ignorant about what's happening with their most valuable data assets.
Why aren't these organizations more diligent? ESG asked 450 IT security professionals this very question and found that:
-43% said that their organization does not have enough security staff members to monitor and analyze sensitive data access activities all the time. (There's that pesky cybersecurity skills shortage coming into play again).
-37% said that it would be too costly to monitor sensitive data access all the time.
-31% said that their organization doesn't have the right security analytics tools to get an accurate picture of sensitive data access.
If you ever wondered why Private Bradley Manning and Edward Snowden were able to walk off with volumes of sensitive data, this ESG research provides a simple answer - no one was watching them.
I certainly understand that data security is extremely difficult since sensitive data is distributed, resides on all types of devices, transported over public and private networks, and regularly shared amongst groups of employees and business partners. Very true, and most firms don't have the right technical controls to manage this unruly behavior. That said, it appears like too many organizations use this as an excuse for 'security by obscurity' mode.
There are data security technologies (Box, Symantec, Varonis, Vormetric, etc.), Identity management solutions (Centrify, Courion, Sailpoint), and privileged account management tools (CyberArk, Dell/Quest, Lieberman) that can all help organizations monitor sensitive data access or integrate with SIEM to issue security alerts in reaction to anomalies and rules violations. Many firms already have tools like these in place, so this seems like a logical place to implement more proactive monitoring.