I want you to think about the following question:
Is it better to prevent a bad incident from happening, even if the prevention success rate is less than 100%, or should you instead prepare a mitigation plan to limit any negative effects a bad incident may inflict?
This very question is being debated every day by IT security teams worldwide insofar as the best way to protect their organization’s data. With that said, most of us grapple with this same decision in everyday life. When people purchase brand-new vehicles, do they go out of their way to ensure that no damage happens to them at all? Or do they just invest in the best possible insurance policies so that any and all repairs are covered when accidents and mishaps occur? When you think about it, we are confronted with similar choices between incident prevention and incident mitigation at home, at work and everywhere in between. The correct decision just depends on the person and the situation.
Going back to cybersecurity, just know that businesses ponder this same question when determining the best course of action for protecting their most valuable asset: data. The modern cyber-criminal is always seeking new methods and tactics to steal sensitive data, which is detrimental for any organization – think of the brand damage and negative publicity, costs of remediation and implications for failing to adhere to privacy standards like GDPR, CCPA and HIPAA, just to name a few. Because of the sensitive nature of data being collected, governments have enacted guardrails to regulate how organizations use and protect this highly sensitive consumer data.
Compliance is one of the many factors that security professionals must consider when choosing between breach prevention and breach mitigation. What is the best strategy for your business to choose? Do you invest in a variety of tools that try to prevent data breaches from occurring (remember that no 100% foolproof option truly exists, despite what vendors might tell you)? Or, do you go down the route of accepting that a breach is likely to occur at some point and therefore invest in solutions that mitigate a breach, meaning any information that threat actors get their hands on is rendered completely unreadable and thus worthless for their nefarious purposes?
"Compliance is one of the many factors that security professionals must consider when choosing between breach prevention and breach mitigation"
Both options – prevention and mitigation – have merit. However, don’t just select one and neglect the other because both should be implemented simultaneously as part of a comprehensive cybersecurity posture. As we have seen over the past two years, the number of attacks has escalated, with organizations suffering from a myriad of threats that have resulted in stolen data, exploited individuals and disrupted supply chains.
To counter these threats, organizations need to enforce a multi-layered defensive strategy for their enterprise data and entire IT infrastructure. Moreover, organizations should adopt the mindset that suffering a successful attack is inevitable and sensitive data within the environment might be accessed. Nevertheless, that data doesn’t have to be comprehensible in any meaningful way. In addition, businesses should embrace a zero trust model in which denying implicit trust to a user or entity simply based on location within the network environment is the default state. Of course, apply breach prevention and monitoring (firewalls, user access management and intrusion detection) but couple these tactics with breach mitigation in the form of data-centric security, which reduces negative consequences and fall-out should a data leak or breach occur. Data-centric security focuses solely on protecting the sensitive data and not the infrastructure that houses it – it obfuscates sensitive data elements so that users can’t get to the sensitive information within.
For example, tokenization is a form of data-centric security that can be utilized as a layer of breach mitigation. By replacing sensitive data with representational tokens, the overall data format remains intact without having the real (and really sensitive) values in plain text. Should a threat actor access the network and find a way to the data in its tokenized state, the information would be meaningless and not of any value on the black market. Therefore the threat of data being exploited is effectively neutralized. Moreover, the business will still be compliant with any data privacy and security regulations. In this type of situation, even if the breach cannot be prevented, at least the harmful fall-out is mitigated.
Data breaches, unfortunately, are accelerating in 2022, and your business could be next. I’m not being alarmist here, just realistic and actually optimistic. Ensure that you have the best and necessary security defenses as a preventative measure and have a breach mitigation option such as data-centric security in place should your data ecosystem become compromised. It might just mean any potential negative disruptions are kept to a minimum, and your business will live to fight another day.