Split Sixteen years ago, British mathematician Clive Humby coined the aphorism “data is the new oil”.
Rather than something to be managed, Humby argued, data could be searched for, mined, refined, produced and resold—essentially the core activities of 21st-century IT. But while data has become a source of endless abundance, its intrinsic value remains elusive.
This is a problem because what cannot be assessed cannot be insured. A decade ago, insurers began offering policies to insure data against loss. However, since there was no methodology for evaluating this data, the idea quickly ended up in the “too hard” basket.
Or, more specifically, they ended up on the to-do lists of IT departments who valued data by asking the company how long they could live without it. This calculus led to setting recovery point and recovery time goals, and then paying for what it took to create (and periodically test) backups that meet those deadlines, to protect access to data and the systems that support them use to restore.
While this strategy was reasonable, it did not envisage ransomware.
Cybercriminals have learned how to exploit every available attack surface to render an organization’s hard-to-assess but critical data unusable. Ransomware transforms data on site into cryptographic noise — the equivalent of a kidnapper parading his hostage while laughing at the authorities’ impotence.
Businesses now face not only data loss but data theft as well. The data isn’t just gone—it’s been “liberated” by an attacker who is sharing the very parts of that data that are most damaging to your business, your customers, and your brand.
Do you still have a business? If so, how many lawsuits have been filed by customers who have themselves been harmed by their inability to keep private information private? Who wants to do business with you in the future? And can you ever trust your systems – or your people – again?
Sony barely survived the reputational damage of 2014’s severe attack – and it’s not clear that other companies would fare significantly better in similar circumstances.
Probably the best strategy to avoid ruinous repair costs is to not store any sensitive data at all. Let your customers own their own data and ask them for (limited) permission to use it. These techniques exist – but they are rarely used as such an approach directly impacts the profits to be made from endless data analysis. Short-term gains open the door to long-term losses.
We’ll be stuck in this dilemma until we learn—the hard way—how to collect, store, and use data without getting burned. ®
https://www.theregister.com/2022/06/23/the_price_of_data/ If you don’t store valuable data, ransomware is powerless • The Register