For Data Privacy Day 2024, security experts from across the sector discuss the changing landscape of data protection, and share their thoughts on the precautions organisations and individuals should be taking to keep their data safe.
In some form or another, humans have been storing data for millions of years. From wall paintings and hieroglyphics, to books and films, and more recently in super-sized data centres and the cloud. By 2025, IDC predicts worldwide data will grow 61% to 175 zettabytes.
In today’s digital age, where every organisation is powered by data, there is a huge responsibility to protect and secure it. The increased volume of cyber threats and the evolving regulatory landscape add to these pressures. Indeed, according to Gartner, by the end of 2024, 75% of the world’s population will have its data covered under modern privacy regulations, meaning organisations have a duty to quickly instil complaint procedures, technologies, and culture.
“Businesses not only have a responsibility to be transparent about their data collection, use, and sharing practices, but they also have an obligation to be accountable for their actions,” says Avkash Kathiriya, Senior Vice President Research and Innovation at Cyware. “They should have procedures in place to detect, prevent, respond, and correct privacy violations. Maintaining the privacy of all stakeholders, including customers, partners, and employees, is crucial for building trust and maintaining a positive reputation.”
The evolving regulatory landscape
Data privacy concerns gained significant attention in 2023, and the momentum behind this trend is only growing stronger in 2024. “As privacy regulations become more stringent, particularly when it comes to the use of AI and user data protection gains prominence, organisations are intensifying their efforts to navigate this complex landscape,” explains Moshe Weis, CISO, Aqua Security. “For AI to effectively learn and predict user behaviour, it often needs access to vast amounts of sensitive data. This data collection could potentially infringe upon user privacy rights, especially considering the strict data protection regulations in place today.”
“2024 will be the year when data privacy will meet AI head-on,” agrees Martin Davies, Audit Alliance Manager at Drata. “Getting the balance of innovation, regulation and protection right will depend on the development of regulatory control. There is a clear responsibility on the part of global regulators to implement requirements that AI companies must adhere to in order to protect the data privacy of the end user and enable them to make informed decisions about how they interact with AI tools.”
A comprehensive strategy is a must
AI isn’t the only technology transforming the data privacy landscape. The cloud is continuing to grow, with global spending on cloud computing infrastructure forecasted to exceed $1 trillion for the first time this year.
“With this uptake, the priority for 2024 needs to be ensuring that the data held within – and transferred between – these platforms is secure,” explains Terry Storrar, Managing Director, Leaseweb UK. “Thankfully, there are many things businesses can do to ensure a comprehensive data recovery program is in place. For example, by choosing a trusted hosting provider, customers can gain access to 24/7 security-related support services, standard security training for all employees, and robust disaster recovery solutions.”
“It’s critical to consider data protection and recovery as part of any comprehensive privacy strategy,” agrees Kevin Cole, director, product and technical marketing, Zerto, an HPE company.
“When data is compromised, operations can be halted for extended periods of time, and there is a significant risk of financial loss or brand impact. Protecting both customer and company data should be the top priority for all organisations, especially in light of growing ransomware threats.”
When two become one: Data protection and security
Traditionally, data protection has addressed issues related to data storage, access, and management, whilst solutions that prevent cyber attacks, such as firewalls and anti-virus, fell into the security bucket. However, we are increasingly seeing these two previously separate entities merging.
“Data protection is inextricably entwined with cybersecurity,” explains Matt Rider, VP of Security Engineering EMEA at Exabeam. “While cybersecurity typically focuses on keeping systems secure against attacks, data protection has a vital part to play. It brings together efforts from across an organisation to ensure that data is kept safe as well as compliant with the latest regulations – regulations which take centre stage in the event of a successful cyber attack, bringing us back to cybersecurity.
“You can’t have one without the other. So, when considering how to bolster your cybersecurity defences, make sure that data protection is top of mind, otherwise you’re leaving an open goal for any skilled attackers taking advantage of a blindspot.”
Jason Gerrard, Senior Director of International Systems Engineering at Commvault, adds that as these entities merge, “organisations can no longer afford to have different teams managing them. Achieving enterprise-grade cyber resilience is more than building taller walls or deeper moats. It requires a new approach that looks holistically across the entire landscape, from best-in-class data protection and security to AI-powered data intelligence and lightning-fast recovery.”
Why investing in cybersecurity matters
With the cost of doing business remaining high this year, many business leaders may be looking for areas to cut back. “However, cybersecurity should not be a consideration in these discussions,” urges Hugh Scantlebury, CEO and Founder of Aqilla. “Lack of investment in cybersecurity is a false economy. Recovery following a cyber attack will far outweigh the financial cost of investing in and maintaining security solutions, controls and processes.
“We can all play a part in staying safe online and protecting our organisations for no cost at all – and this doesn’t have to be burdensome or time-consuming. Even the simplest steps can have a huge impact, such as double-checking email addresses and not clicking any links in suspicious emails or messages from unknown senders.”
Connie Stack, CEO at Next DLP, adds: “While cost reduction will always be top of mind for executive teams (especially CFOs), organisations should be looking to implement robust Data Loss Prevention (DLP) and Insider Threat Management (IRM) controls, which become essential when consolidating. By keeping a vigilant eye on data movements and access patterns, these solutions ensure that while the organisation benefits from the efficiencies of a streamlined security infrastructure, data privacy requirements are not compromised.”
When budgets are tight, one of the first areas that is considered the least important and always gets put under pressure is user training. However, Robert Sugrue, Cyber Security Product Director at Six Degrees, argues that when times are hard, investing in your people is the most important thing a business can do.
“Our people are our most important asset, and when it comes to cybersecurity, they are the first line of defence. Most attacks originate from breached credentials or extracted critical information, and this is nearly always sourced by manipulating and attacking people, be it through a phishing campaign, social engineering, or misdirection. Assuring our people receive ongoing training to be diligent and identify attack methods is essential to protect our businesses, especially during bad economic times when the desperation of criminals and the diversity and number of attacks increases.”
He concludes, “training your people to be cyber aware is as important as any element of your approach to defending your business; in fact, it is one of the most valuable investments you can make. Like any element of security, do not remove it – improve it!”