How businesses can mitigate risks and uphold compliance in 2024
Managing data privacy and compliance risks is becoming increasingly difficult year on year for businesses. Cybercriminals continue to evolve their strategies at breakneck speed, making it difficult to identify, stop, and mitigate the damage of a malicious attacks. Plus, recognising they can breach thousands of companies and millions of records with one successful attack, many with nefarious intent have turned to the supply chain.
Unfortunately, 2024 is not going to be any easier. Part of the reason that managing the privacy and compliance of sensitive content communications is so difficult is that so many common tools reside in siloes and were developed in a different era. But what are the other key issues to look out for in 2024?
The emergence of large language models
Despite bans and restrictions, the number of generative artificial intelligence (GenAI) large language models (LLMs) in use will only increase next year as the competitive advantages become too significant to ignore. This will expand the threat surface and the potential for sensitive content to be inadvertently or intentionally exposed.
Even with advances in security controls, data breaches stemming from GenAI LLM misuse will rise in 2024. High-profile examples drawing regulatory scrutiny are unfortunately likely. This will force data security to be a central part of any GenAI LLM strategy. Organisations slow to adapt will face brand reputation damage, lost revenue opportunities, potential regulatory fines and penalties, and ongoing litigation costs.
Legacy MFT tools being unfit for purpose
Managed file transfer (MFT) tools have been used for some time for the digital transfer of data in an automated, dependable, and secure manner. However, many are based on decades-old technology that are no longer fit for purpose. Because of this, we have witnessed a spiralling escalation of cyberattacks by rogue nation-states and cybercriminals on MFTs and other elements of the software supply chain over the past few years.
In 2023, there were two high profile MFT tools that got targeted. In both instances, multiple zero-day vulnerabilities were exploited – remote code execution (RCE) in the case of Fortra GoAnywhere that impacted over 130 organisations and a SQL injection in the case of MOVEit that affected over 2,000 organisations and 62 million individuals.
Email will remain a major attack vector
Email remains the number one attack vector for cybercriminals and shows no sign of losing its place. In fact, in the past 12 months malware attacks instigated through email has shot up by 29%, while phishing attacks has grown by the same amount. Business email compromise (BEC) attacks have spiked by 66%. This has led to more than eight in ten data breaches now targeting humans as their first line of access using social engineering strategies.
Like with legacy MFT solutions, many legacy email systems unfortunately lack modern security capabilities. Things need to change. Until organisations embrace an email protection gateway where email is sent, received, and stored using zero-trust policy management with single-tenant hosting, email security will unfortunately remain a serious risk factor.
Evolving regulatory standards
Regulatory bodies will continue evolving data privacy regulations in 2024 and continue to ratchet up their fines. Recent major fines, like those against Marriott and British Airways under GDPR, were in large part due to lapses in data security. It is clear that regulators will continue to come down hard on any company that negligently exposes personal data. And for good reason. This will mean that businesses will need to track and control content access more than ever and generate audit log reports to demonstrate compliance.
It is not an issue that is going to go away. In fact, Gartner predicts that personal data for three-quarters of the world’s population will be covered by data privacy regulations by the end of 2024, and the average annual budget for privacy in a company will rise to over $2.5 million.
Rising importance of data sovereignty
The need for increased data localisation is a growing trend that will make data sovereignty a real challenge for organisations this year. Many emerging privacy laws now require organisations to control the country where data resides. This can be a significant challenge for multinational corporations.
At the same time, data democratisation, the practice of making data accessible and consumable for everyone in an enterprise regardless of technical skill, is a trend that will also impact data sovereignty. Data sovereignty empowers organisations to maintain compliance with local and international data regulations, which minimises legal risks, establishes a reputation for responsible data handling, and helps companies avoid hefty fines. By prioritising data sovereignty, organisations can build trust with customers and stakeholders, enhance brand reputation, and avoid costly legal issues.
Files sizes keep getting bigger
Challenges surrounding the handling of larger and larger files – especially those containing sensitive content – will become increasingly pressing for organisations in 2024. Digital rights management (DRM) adoption will accelerate as organisations aim to protect sensitive content with more robust solutions to ensure they comply with regulatory pressures.
For 2024, data classification and DRM policy management will drive organisations large and small to institute data protection using least-privilege access and watermarks for low-risk data, view-only DRM for moderate-risk data, to safe video-streamed editing that blocks downloads and copy and paste for high-risk data.
It is time to hit the reset button
In 2024, businesses will be under heightened strain to protect confidential data amidst escalating cyber threats and to ensure adherence to burgeoning international regulatory standards. Thankfully, help is at hand. By adopting zero-trust architectures, detailed security models based on content, strong access management, integrated DRM, DLP, and other leading-edge security measures, organisations can mitigate risks and uphold compliance.
It is time for organisations to hit the reset button on their sensitive content communication strategies and work to ensure they have the right technologies in place to protect their communications. Now and tomorrow.
Tim Freestone
-
This author does not have any more posts.