If you didn't store valuable data, ransomware would become impotent

Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

Or, more accurately, landed on the to-do lists of IT departments who valued data by asking the business how long they could live without it. That calculus led to determining objectives for recovery point and recovery time, then paying what it took to build (and regularly test) backups that achieve those deadlines to restore access to data and the systems that wield it.

That strategy, while sound, did not anticipate ransomware.

Cyber criminals have learned how to exploit every available attack surface to make firms' hard-to-value-but-oh-so-vital data impossible to use. Ransomware transforms data in situ into cryptographic noise – the equivalent of a kidnapper displaying their hostage, while laughing at the powerlessness of the authorities.

Businesses now face not just data loss but data theft. The data is not only gone – it's been "liberated" by a threat actor who chooses to share exactly the parts of that data most damaging to your business, your customers, and your brand.

Do you still have a business? If so, how many lawsuits have been launched by clients who have themselves been damaged by your inability to keep private data private? Who will want to do business with you in the future? And can you ever again trust any of your systems – or your staff?

Sony barely survived the reputational damage of the serious attack it endured in 2014 – and it's not clear that any other business would do significantly better in similar circumstances.

• Inverse Finance stung for $1.2 million via flash loan attack
• Bank for International Settlements calls for reform of data governance
• Atlassian comes clean on what data-deleting script behind outage actually did
• GitHub saved plaintext passwords of npm users in log files, post mortem reveals

Arguably the best strategy to avoid ruinous reparation costs is to avoid storing any sensitive data at all. Let your customers hold their own data, and ask them for (limited) permission to use it. Those techniques exist – but they're rarely used, because such an approach directly interferes with the profits to be made from endless data analytics. Short-term gains open the door to long-term losses.

We'll be caught on the horns of this dilemma until we learn – the hard way – how to collect, keep and use data without getting burned. ®