Recently, while settling in to watch Doctor Who with my family, we were treated to an amusing advertisement for a credit card company. This particular commercial showed men dressed as Vikings asking questions about the contents of my wallet. My son, who has never met a commercial he didn't like, laughed and then turned to me and asked the obvious question, "Papa, what's in your wallet?"
"Nothing," was my answer, and it's mostly true. Ever since direct deposit became a thing I find I never have any cash in my wallet, even while travelling. My wallet has a handful of credit cards, insurance cards, and a picture of my daughter taken when she was a few hours old.
As I thought about how minimal the contents of my wallet are, and how there are things inside of it I had forgotten about, I started to think about data and data protection. Many times, people and companies will store data without truly understanding its importance or value.
I think we should all take time to ask ourselves the simple question, "What's in your database?"
Data is the obvious answer, of course. But there are many different types of data inside of a database, some more sensitive than others. I'm not just talking about data types like INT or VARCHAR. No, I'm talking about data that can be classified as personally identifiable information (PII). This is data that contains a unique identifier from which the identity of a specific person can be obtained.
PII data has existed for centuries (thank you, US Census!), albeit not in digital form. To some degree, awareness of this data's value has increased. This is evident in the number of security measures offered and deployed by many companies as they try to protect their data and databases, such as encryption, access controls, permissions, password policies, and securing backups.
But has awareness of its value increased enough? No, I don't think so; and this will become even truer as the Internet of Things (IoT) begins to take hold. The evidence is that despite all of the security measures companies have adopted to protect their data and databases, we still have data breaches.
Why does this continue to happen?
As I said, I suspect it is because people don't understand the true value and importance of their data and databases. A database isn't just a container for your data. A database contains the most precious business assets a company has. If you don't have data, you don't have business.
It really comes down to the people. The humans involved are the weakest link in the data chain. In fact, humans have been known to give away their passwords in exchange for a cheap pen or a chocolate bar.
Perhaps the answer is that we need to think a little differently about our data and databases. Here are two ways to get that shift started:
- Think about your data as if it were your wallet. If someone told you that you might lose your wallet, you'd go out of your way to protect it more than usual. You should have the same mindset with your data. If concerned about losing your wallet, you'd move it to a front pocket, keep your hand on it, or minimize the contents inside of it so that if it were lost or stolen you would be able to recover quickly. For data, this means making certain you have effective monitoring, logging, and auditing tools in place, as well as effective security measures.
- If your wallet were lost, you wouldn't wait months to tell someone. You'd act quickly. The same should go for your data. The moment you know a breach has happened, you need to tell others so that the damage and loss is minimized.
Only by truly understanding and appreciating the value of our data and databases and motivating everyone to take these steps will we see the necessary diligence needed to protect data from theft. Maybe all we really need is our own commercial with IT professionals dressed as Vikings. That might help get the point across.