• United States




The changing data protection paradigm

Sep 22, 20165 mins

It is impossible to keep data secure and free from alteration when you can't keep track of what you have, where it is and what its value is. So where to begin?

rescue recovery data binary sea ocean [Thinkstock-99694205]
Credit: Thinkstock

I spent last Thursday as I usually do, on the track at the YMCA while listening to my favorite podcast, Down the Security Rabbithole.

The episode, titled “Data Protection Primer,” discussed the importance of protecting data security and privacy. One of the guests, Vlad Klasnja, the data protection and privacy manager for Optiv, made the point that despite the challenges, organizations must start addressing data protection, even if it means starting small. This put my main brain into high gear for the balance of my run, thinking through how we collectively got into this mess, and how we can begin to climb out of it.

Twelve years ago, I was the technology head for a consumer credit bureau. Our data was obviously very sensitive, and, even at the time, heavily regulated. While protecting this data was a challenge, it was fairly easy compared to what organizations face today. I had little else to protect other than my consumer database. I knew exactly where the data was: replicated between two data centers, and on backup media at a secure storage facility. It was minimally accessible to the outside world. Even the data that was indirectly web-accessible resided in my facilities.

In just a few years, the industry has experienced a data paradigm shift. Most organizations now must deal with massive amounts of incoming data, in various forms, ranging from structured information in the form of databases and lists to unstructured data, including documents, images and — as the podcast hosts said tongue-in-cheek — even cat pictures.  

The amount of new data available is staggering. As the Harvard Business Review aptly put it, “More data cross the internet every second than were stored in the entire internet just 20 years ago.” This data has varying degrees of value and sensitivity, and resides on a variety of systems, including endpoints, removable media, local servers, cloud servers, and cloud-based services like Box and Dropbox. This growth and spread of data has quickly exceeded the ability of most companies to keep track of it, let alone protect it.

This massive influx of data, spread out among various locations, has naturally brought with it increasing security exposures, leading to an almost daily data breach crisis. It is impossible to keep data secure and free from alteration when you can’t keep track of what you have, where it is and what its value is. Given the challenges of keeping track of this flood of data, it is not surprising that data breaches often take a long time to discover, averaging more than 146 days in 2015, as reported by SecurityWeek.

Major corporations, despite their large teams and budgets, find it very difficult to keep up with and protect their data. Consider the recent examples of Sony, Target and Home Depot. If they can’t protect their data, what hope do small and medium enterprises (SMEs) have of keeping up?

While the challenge of data protection under our new paradigm seems overwhelming,  it is, as Vlad Klasnja put it, imperative that we start somewhere. In an effort to help organizations who have yet to tackle their data problems make this start, I would suggest a somewhat simplified and nonthreatening approach:

Figure out what you have

Data protection starts with an inventory of what data you have. Given the spread of data today, this will not be easy. It is possible, however, and must be done as a start to tackling the problem. This is a particularly complicated endeavor given the growth of data stored in the cloud, a fact that many companies are coming to grips with after the massive release of password data stolen from Dropbox. Fortunately, there are data discovery and inventory tools coming on the market, like Enterprise Data Discovery by GTB Technologies.

Quantify your risk

It is essential that you understand the risk posed by each of your data sets. Knowing this helps to determine what the priority for protection will be, how much you should be spending on insurance and the degree of your compliance exposure. The best approach to this, in my view, is a basic risk assessment. Take a look at my article “The dreaded risk assessment” for guidance on a basic approach to this.

Prioritize your data for protection

You can’t address everything at once, so prioritize your data for protection, based on the results of your risk assessment. You also need to make your time and monetary investment in protecting it proportionate to its value. Some data sets you will want to protect like Fort Knox protects gold, and others will require less protections.

Start at the top, and work your way down the list

Devise and implement a strategy for your highest-risk data, and work your way down the list in priority order. You will need to consider a wide variety of approaches to protection, including encryption, network segmentation and data loss prevention.

Keep up

Even as you work to identify and protect your data, you must devise a means of keeping up with new data coming in. This will require strong discipline within your organization, such that those who obtain or create data report it to those responsible for maintaining the inventory. There are various controls you can consider, including limiting access to storage services like Box, limiting the amount of disk space available to individual users, and preventing the creation of databases by anyone other than authorized personnel.

Bottom line: Data protection is not easy. It is essential, however, and the importance of protecting data is growing by the day. Instead of letting the complexity intimidate you, dive in and make a start.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author