If you don’t store valuable data, ransomware is powerless • The Register

Column Sixteen years ago, British mathematician Clive Humby coined the aphorism “data is the new oil”.

Rather than something that needed to be managed, Humby argued that data could be mined, mined, refined, produced and resold – essentially the core business of 21st century computing. Yet, while data has become an inexhaustible source of wealth, its intrinsic value remains difficult to define.

This is a problem, because what cannot be assessed cannot be insured. Ten years ago, insurers began to consider offering policies to insure data against loss. But in the absence of any methodology to valorize this data, the idea quickly landed in the “too hard” basket.

Or, more accurately, landed on IT departments’ to-do lists that valued data by asking the business how long they could live without it. This calculation led to determining recovery point and recovery time objectives, and then paying what it took to create (and regularly test) backups that meet those timelines to restore access to the data and systems that use them.

This strategy, while wise, did not anticipate ransomware.

Cybercriminals have learned to exploit all available attack surfaces to make it impossible to use hard-to-assess but so vital enterprise data. Ransomware transforms data on the spot in cryptographic noise – the equivalent of a kidnapper showing off his hostage, while laughing at the powerlessness of the authorities.

Companies now face not only data loss, but also data theft. Not only is the data gone, but it has been “released” by a malicious actor who chooses to share exactly the parts of that data that are most damaging to your business, your customers, and your brand.

Do you still have a business? If so, how many lawsuits have been filed by customers who have themselves been harmed by your failure to keep private data confidential? Who will want to do business with you in the future? And will you be able to trust any of your systems – or your people – again?

Sony barely survived the reputational damage of the severe attack it suffered in 2014 – and it’s not clear that any other company would do much better under similar circumstances.

Arguably the best strategy to avoid costly repair costs is to avoid storing sensitive data. Let your customers own their own data and ask them for (limited) permission to use it. These techniques exist, but they are rarely used, because such an approach directly interferes with the benefits to be gained from endless data analysis. Short-term gains open the door to long-term losses.

We’ll be caught in the horns of this dilemma until we learn – the hard way – how to collect, store and use data without getting burned. ®