By Matthew Meehan, chief operating officer at TokenEx
We have all heard the proverb that teaches, “slow and steady wins the race.” But what if slow isn’t an option? In the wake of COVID-19, many businesses sped through the digitization process to transform their businesses in record time. In their haste, important data protection measures and security considerations were either undermined, or simply not considered.
To meet the heightened demand for cloud-based applications, businesses are migrating most, if not all, apps, files, and other business elements to public or private clouds. This helps users work more efficiently from home, but it also means more information is unprotected and available for cybercriminals to grab. The inconvenient truth is that, while most businesses have been distracted by digital transformation (DX), sensitive data has been left on a metaphorical windowsill, like a freshly baked apple pie.
Security is For Us, Not Against Us
There is a common misconception that data security inhibits DX – but this couldn’t be farther from the truth. When an organization is able to confidently outsource their sensitive data protection needs to expert 3rd-party providers—like TokenEx—it allows for the reallocation of internal resources to prioritize the business and its objectives for growth, giving it a competitive edge over those who attempt to handle security internally. This is an argument for security as an enabler to faster and effective DX.
Also consider an example of a fintech start-up that wants to build from the ground up. From a macro level, the primary focus is speed to market. This means that the product team’s time and resources are spent defining target customers, securing funding and achieving the kind of scale that can bring its features to market quickly. When all is said and done, data security can easily become an afterthought. Yet, especially in industries like fintech, a breach of customer information could be an unfortunate risk that shuts the operation down before it begins.
A smart approach – especially for a fintech storing or transmitting credit card data – is to build an ecosystem that secures data at the point of collection, all the way through its transmission through APIs. By doing so you streamline compliance and DevSecOps processes which will naturally accelerate DX and product evolution. Further, a platform that helps companies meet risk and compliance requirements allows fintech businesses to bring digital purchasing experiences to market without the headaches. Outsourcing digital security is also more cost-effective as it reduces the risk of future monetary loss from a data breach and lessens the burden on leadership that likely does not have cybersecurity expertise.
Data is All-Too Enticing to a Cybercriminal
In 2021, it should go without saying, but any organization that collects and handles sensitive data – such as credit card numbers or patient health information – must take steps to secure and protect these assets. Data security is such an important element of business today that governments around the world require meeting strict data security mandates and will impose serious fines and penalties if violated. These regulations are continuously evolving as threats become more sophisticated and targeted. In fact, Gartner predicts that by 2023, 65% of the world will have its personal information covered by some sort of privacy regulation, up from 10% of the world in 2020.
Data security law can be overwhelming and when compounded with the fact that the traditional model of “perimeter cyber defense” is flawed—indicated by the sheer number of breaches we see on a daily basis—the need for a new data security model becomes all the more apparent. There is no sure-fire way to avoid a data breach, despite thousands of cybersecurity vendors campaigning otherwise. While we can’t stop attackers from stealing information, we can make that stolen information unusable.
Devaluing Data: Take Away Their Profit
There is no silver bullet to avoiding a breach in the digital economy; no defense has proven impermeable. From human error to malware, phishing emails to brute force, cybercriminals find ways to steal and to profit. Rather than banging our collective heads against a wall trying to stop a breach from happening, businesses can implement pseudonymization processes to devalue sensitive data in the enterprise, to minimize the aftershock.
Tokenization is one method of pseudonymization where sensitive data is turned into non-sensitive data called “tokens.” Tokenization works to secure sensitive data by replacing the original data with an unrelated value of the same length and format. The tokens are then sent to an organization’s internal systems for use, and the original data is stored in a secure token vault. By implementing tokenization that identifies and converts sensitive data prior to it reaching the client environment, scope is eliminated or reduced drastically. When this is not possible, tokenization can still be implemented in a way that confines the footprint of sensitive data and converts it to tokens, dramatically minimizing the amount of data at risk. Of even greater benefit, the proper tokenization implementation preserves the value or utility of actual sensitive data by maintaining persistence and status as a unique identifier that can be associated with a customer record. This enables internal data sharing that addresses the concerns of internal security teams while meeting the needs of analytics and marketing teams.
Traditionally, security experts would advise companies to encrypt data, which is essentially a process whereby you mathematically change sensitive data in a way that its original pattern is still present within the new code. Hackers have shown over time, though, how easy it can be to decrypt valuable data sets by using stolen keys. Unlike encryption, tokenized data is undecipherable and irreversible.
Despite what the record number of data breaches that have occurred in the last ten years may lead you to believe, companies aren’t incompetent or doing a bad job when it comes to cybersecurity. The issue is that the model they are relying on for data security is broken. In fact, most companies that are being breached are compliant and have well-developed cybersecurity programs. The model is simply flawed. Tokenization renders data unusable, solving the issue at its core.
Companies that have made strides in DX during the past year shouldn’t be fearful of cyber threats; they also shouldn’t operate under the assumption that security will automatically hinder transformative efforts, either. It’s quite the contrary. However, companies that are unsure how a strong security posture fits into plans for DX should look for a data protection partner that can execute pseudonymization of data to reduce risk and losses in the inevitable event of a data breach. By devaluing the digital assets they have, companies can feel assured that customer information isn’t a ticking time bomb. Allowing data protection and security to work with us, not against us, is imperative to continuing business growth and innovation, post-pandemic.
About the author
Matthew Meehan is chief operating officer at TokenEx and a serial entrepreneur focused on strategic growth and innovation. His depth of knowledge and expertise to ensure operational excellence also includes strategy design, business development, risk management, acquisitions, and maximizing shareholder value through growth strategies that generate revenue streams and increase profitability.