A recent NOYB survey shows that around three-quarters of insiders believe there are relevant violations of data protection policies at their organizations, which would come to light if anyone were to investigate thoroughly. These violations are attributed to pressures from sales and marketing, senior managers who prefer to limit compliance efforts, lack of support from stakeholders, the non-compliance of external suppliers, and the lack of clear enforcement actions.
Clearly, organizations still struggle to meet data security goals or implement data security policies fully. As new challenges emerge and old ones persist, it is important to systematically and thoroughly resolve issues facing data security.
Identifying Sensitive Data and the Methods to Secure Them
Ideally, all data generated by an organization should be secured. However, the resources needed to protect data are limited. Organizations have to maximize the finite levels of human and computing resources they have by first identifying the data they need to protect.
Not all data require resource-intensive security. In particular, it is not advisable to use full-disk encryption unless the data being encrypted are for the backups or the disaster recovery system. Data security can be limited to personally identifiable information (PII), financial details, trade secrets, and others that can be considered sensitive.
On the other hand, it is crucial to choose the right types of data protection, using methods and strategies that are secure and that match the needs of the situation your company is in. Again, organizations do not have boundless resources to enforce data security everywhere, so efficiency is a must. Also, it is essential to balance security and performance. Implementing encryption, for example, can be taxing on system resources, so organizations should choose the appropriate encryption methods for different use cases.
Additionally, it is necessary to choose data protection methods that are compatible with existing tools and make sure that they are scalable and flexible to avoid problems associated with changes in the data ecosystem.
Data Governance and Policy Formulation
Once the data resources that require protection have been properly determined, organizations have to come up with a systematic data governance plan and formulate policies that ensure security and dependable backups. Effective data protection has to be planned in relation to the dynamics and requirements specific to an organization. There is no one-size-fits-all model when it comes to data governance and protection.
To maximize efficiency and security, everything has to be customized as much as possible, from the data handling mechanisms to the security controls. Additionally, it is crucial to clearly define the roles and responsibilities of those who are given access to data and establish accountability. Moreover, it is recommended to incorporate best practices into data management and protection processes.
Artificial intelligence and automation are among the prominent trends that will affect data management in 2024. It is important for organizations to take these into account in their data governance and protection policies. They can introduce new risks and cyber attack surfaces. AI-driven automated systems must be properly configured to avoid exposing data to exploitation or attacks.
When using third-party AI solutions, it is important to ascertain that an organization’s data is not being shared unnecessarily or used to train and further enhance AI systems without anonymization or obfuscation.
Vigilant Data Regulation Compliance
Aside from internal policies, organizations inevitably have to face external policies on data privacy and security.
The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the UK's Data Protection Act 2018 are not the only data-related regulations organizations will have to deal with in 2024. Existing regulatory requirements are being updated and new ones are being developed in different countries.
In Africa, new legislations like Malawi's Bill No. 22 for the Data Protection Act (2023) and the Malabo Convention have emerged. The European Union is in the process of implementing new rules on data use with respect to AI development and the privacy of minors who use the internet. The Middle East also has new regulations for data protection such as Saudi Arabia's amendment to its Privacy and Data Protection Law, Oman's Personal Data Protection Law, and Jordan's Law No. 24 of 2023.
Organizations cannot ignore or downplay the impact of these data regulations. It is vital to factor them in when planning data protection policies, data management processes, and the selection of solutions for protecting data.
Addressing Threats of Internal and External Breaches
Cyber-attacks from outside organizations are increasing, and teams are expected to be ready for them.
However, insider threats are equally perilous. Organizations need a proactive approach to data security given that data breaches can come from external and internal sources, with the latter proving to be trickier to address because of the trust insiders gain after they are admitted into an organization.
One of the best strategies to counter growing data threats is the implementation of zero-trust security and the principle of least privilege. It is advisable to subject all access requests to strict scrutiny and authorization measures and not presume regularity or authority based on the title or position of the person making data access requests.
Also, the privileges granted to those requesting for access should be limited to what they need to complete a specific action. Nobody should be granted broad privileges and unlimited recurrent access. Every data request should be thoroughly evaluated and verified.
Data Threats Associated With Devices
The past few years have propped up the popularity of work-from-home (WFH) and bring-your-own-device (BYOD) arrangements, as well as Internet of Things (IoT) devices. The growing popularity of these acronyms signals the need to be more mindful of the data security implications of devices.
Many organizations continue to overlook the critical role of devices in data security, and this has to change significantly.
It’s important to ensure full security visibility over all devices that connect to your network. The remote access to data granted to WFH employees should be prudently managed. Similarly, BYOD devices must be subjected to thorough security evaluations before they are allowed to connect to the enterprise network. Also, IoT devices must be properly configured to ensure that they do not become attack points or bearers of security vulnerabilities.
The risks associated with the growing number of devices connected to company networks are not a new problem, but it will continue to grow in 2024 and will most likely expand further in the years to come. As one study shows, the use of BYOD tends to lead to data breaches. There are also studies that link WFH and IoT to data attacks.
In Conclusion
Data attacks are expected to continue and evolve over time. It is unlikely for them to end, so organizations need to continuously improve their security strategies and approaches in dealing with new threats while taking advantage of new technologies. In the meantime, organizations should examine the key aspects discussed above as they adapt their data protection strategies to the threat landscape of 2024 and the years to come.