But such a task can seem overwhelming. Exactly how can organisations ensure that the data they store is secure? And what new challenges loom as we move into the rest of 2024? We asked ten industry experts to get their take.
Everyone plays a role
It can be easy to think that data protection is the preserve of a few key team members – a data protection officer perhaps, or the cyber security team. The reality is that every single staff member within an organisation has a role to play.
“It should be driven culturally,” argues Avkash Kathiriya, Senior Vice President Research and Innovation at Cyware. “Every member of the business has a role to play in protecting personal information and businesses should be regularly reminding and training employees on data protection best practices. As a Champion for Data Protection Week, Cyware has pledged to support and promote the importance of data protection within its own organisation and the wider community. As well as regularly briefing its employees, Cyware publishes long-form educational guides, research & analysis articles, as well as daily, weekly, and monthly threat briefings to help its community take stock of the evolving cyber threat landscape and take the necessary actions to safeguard their data security and privacy.”
Kamil Fedorko, Cybersecurity Practice Leader at Intellias, points to the importance of arming staff with knowledge. “Top of the agenda should be the education of employees - especially where recent research has illustrated a 10% surge in phishing attacks, with 94% of organisations having experienced a serious email security incident in the past 12 months,” he explains. “Where data is highly valued loot for criminals, it is imperative to ensure employees can recognise phishing attempts, maintain secure passwords, and practice safe internet usage to mitigate the risk of unauthorised parties stealing or accessing sensitive files.”
“This year, Data Privacy Day is not just about acknowledging the criticality of data privacy, but actively integrating new practices that uphold these values in an increasingly AI-integrated world, and educating employees to do the same,” he adds.
Cybersecurity is central
For a long time, many organisations separated data protection and cybersecurity. “Traditionally, data protection has addressed issues related to data storage, access, and management, whilst solutions that prevent cyber-attacks, such as firewalls and anti-virus, fell into the security bucket,” outlines Jason Gerrard, Senior Director of International Systems Engineering at Commvault. “Yet, we are increasingly seeing these two previously separate entities merging and organisations can no longer afford to have different teams managing them. It is recognising that a data protection strategy must have security at the heart of it that will enable true cyber resilience to be achieved.”
He continues: “Data holds incredible value, and cyber criminals will stop at nothing to obtain it, no matter the disastrous consequences for an organisation or its customers. Having backups saved in multiple locations is a necessity, but ultimately, the aim is to prevent attackers from accessing the data in the first place. To build a truly cyber resilient strategy, organisations must ensure that their IT and security teams come together to work towards this common goal and keep their data under lock and key.”
Tom Ammirati, CRO at PlainID, agrees with the need to integrate security and data protection. “This year’s theme is ‘take control of your data’ and key to that is an organisation protecting its data and the applications from cyberattacks. If a bad actor, which can include an employee, has gained access credentials, ensure that they don’t have automatic access to any or all data.
“We know now that smart security solutions must be “identity-aware,” but they also call for a smart, dynamic authorisation solution. One of the most significant benefits of zero trust is the process of granting an authenticated entity access to resources. Authentication helps ensure that the user accessing a system is who they claim to be; authorisation determines what that user has permission to do. Arming your IT team with smart security solutions can be the key difference between a full-blown security incident, and a security alert.”
However, as data protection increasingly becomes part of organisations’ cybersecurity strategy, that can bring its own challenges. Connie Stack, CEO at Next DLP, highlights the “intensifying pressure on CISOs to streamline their cybersecurity tools.
“The adoption of consolidated solutions from major tech companies stems from two primary challenges - the scarcity of skilled cybersecurity professionals and the internal drive for cost efficiency,” she explains. “While this move towards consolidation is becoming a norm, it's vital to remember that depending on a single solution provider for all security requirements can be risky.”
“While cost reduction will always be top of mind for executive teams (especially CFOs), organisations should be looking to implement robust Data Loss Prevention (DLP) and Insider Threat Management (IRM) controls, which become essential when consolidating. No organisation runs solely on the likes of Microsoft applications, Microsoft file types, and nothing else, for example. In an era where data security and privacy are paramount, DLP and IRM solutions safeguard data regardless of location.”
The AI revolution
Of course, as with almost every area of the technology industry, the advent of AI over the past year poses significant data privacy concerns, as well as the potential to bring huge benefits.
“For AI to effectively learn and predict user behaviour, it often needs access to vast amounts of sensitive data,” outlines Moshe Weis, CISO at Aqua Security. “This data collection could potentially infringe upon user privacy rights, especially considering the strict data protection regulations in place today, such as the General Data Protection Regulation (GDPR) and the new EU AI Act due to be enforced in the next 1-2 years. Companies of all sizes will have to get their AI compliance in order and strike a balance between leveraging AI for security and respecting user privacy.”
Martin Davies, Audit Alliance Manager at Drata, agrees that regulation will be key when it comes to AI. “2024 will be the year when Data Privacy will meet AI head-on, and getting the balance of innovation, regulation and protection right will depend on the development of regulatory control.
“Regulatory activity around the oversight of AI has been gaining momentum at a feverish pace in the last few months. Most significantly the new landmark EU AI Act has finally been formalised, a significant milestone in protecting the end user from the potential dangers of AI. There is a clear responsibility on the part of global regulators to implement requirements that AI companies must adhere to in order to protect the data privacy of the end user and enable them to make informed decisions about how they interact with AI tools.”
Back to basics
No matter the new technology that comes along, the most crucial thing organisations can do is ensure that they’re prioritising data protection and putting a strong plan in place. As Terry Storrar, Managing Director at Leaseweb UK, explains: “In an age where the risks of data loss are broad and in many cases inevitable, it’s essential that organisations make sure they have the right tools to backup and recover quickly and effectively should this take place. Data Protection Day is a great opportunity to take stock of how secure your data is and remember it’s always worth going the extra mile when it comes to putting plans in place before you need to execute them.”
“As we celebrate Data Protection Day, organisations must remember following the fundamentals of security ensure the protection of data, our resilience against evolving threats, and a safer internet for everyone,” concludes Kayla Underkoffler, Lead Security Technologist at HackerOne.