Data is many organisations' most valuable asset, so it is little wonder that it is also the subject of so much attention from cyber criminals.
Whereas once those criminals were content to encrypt data and extort a ransom for its release, greater use of smart backup procedures has led to a change in tactics, with criminals now much more likely to seek payment in return for not releasing stolen data online.
For businesses, the costs of a successful attack can be crippling, with most reports putting the cost of a data breach into millions of dollars.
Even when victims don’t pay up, data theft can still be a lucrative game for criminals, with a study by cybersecurity researcher Privacy Affairs finding an individual’s personal information can be worth as much as US$1000 ($1532).
These numbers are leading many organisations to look much more closely at how they are protecting their data.
Protecting the crown jewels
Almost all cybersecurity tools play a role in protecting data, from the Identity and Access Management (IAM) tools that determine who has access to it through to the eXtended Detection
and Response (XDR) tools that monitor how it is moving within a network.
The commonly held definition of data security refers to safeguarding digital information from unauthorised access, corruption, or theft. Even this narrower definition has become a boom market for tools suppliers – one that is projected to reach US$6.86 billion ($10.51 billion) in 2024 on its way to a market volume of US$11.19 billion ($17.15 billion) by 2028.
One of the critical elements of data security is to make it unreadable to any unauthorised party, which is achieved through encryption using a diverse array of cryptography technologies.
However, this task can be made more difficult by the reality that data can reside with multiple service providers, including SaaS apps and public clouds. This makes encryption protocols and managing the keys that unlock it a critical consideration.
Encryption also faces a looming challenge in the form of 'Q Day', when quantum computers become powerful enough to crack traditional encryption methods. This is leading to a need to invest in quantum-resistant encryption techniques, and creating a market expected to be worth US$1.8 billion ($2.76 billion) in 2024.
Fighting the urge to data-hoard
One idea that is gaining popularity is to reduce the total amount of data that may be at risk through an incident.
This realisation has become critical for organisations whose data assets have grown in an unchecked manner, such as through the acquisition of other businesses, and numerous recent data breaches exposed organisations that were holding on to personal data long after it was needed. This in turn is fuelling interest in data visibility tools which help organisations see, monitor, and manage data across their operations.
Another possibility is to implement privacy-preserving technologies, such as adding noise to aggregated data to preserve the privacy of individual records. This and other techniques have the potential to enable organisations to gain insights from sensitive data while protecting individuals and remaining compliant with regulatory requirements.
A question of governance
With data continuing to be the target for cybercriminals, it is not surprising that the overall approach to data security is moving away from one of point solutions in favour of governance frameworks that consider all aspects of the data lifecycle, rather than just its security.
This means applying greater consideration to what data is collected, how it is used and stored, and how long it is retained. According to Fortune Business Insights, the global data governance market size is projected to grow from US$4.44 billion ($6.8 billion) in 2024 to US$19.86 billion (30.44 billion) by 2032.
This suggests that when it comes to data security, the first step is to better understand what an organisation is protecting and invest appropriately.
Protecting data can be a challenge at the best of times. But when your organisation is highly decentralised, with a network accessed by a wide variety of user personas, and an information asset that is of potential interest to nation-states, that challenge becomes so much greater still.
This is the challenge facing Nivedita Newar, head of cyber security strategy and governance at the University of NSW (UNSW), and it is one that only grows more complicated with time.
"With the proliferation of software-as-a-service and shadow IT, the more exposure and unknown risk there is for data-related threats to materialise," Newar said.
"It is important to create new guardrails in the procurement and finance channels, but incredibly difficult when somebody is using a credit card. Even free software can mean a security risk for us."
That threat has been amplified further still by the rapid proliferation of new and untested AI tools.
"Every single service provider is trying to offer a feature at least of AI for free, and all of these features are in beta mode, which means no testing or vetting has been performed and there are no certifications," Newar said.
If these threats weren't enough, the rapid development of quantum computing – and the risks it poses to encryption protocols – also looms on the horizon.
"The biggest problem is when encryption will be broken and quantum computers will be commercialised and available to attackers," Newar said.
"Most researchers believe that it is at least seven years from now. This is a business risk - this is no longer a security risk."
Amidst these challenges and threats, Newar is deploying a long-term strategy designed to both bring greater security to UNSW's data assets while also delivering the freedoms that its user communities expect.
Central to this is adoption of a zero-trust stance and accompanying investment strategy. A key component of this will be the implementation of a Cloud Access Service Broker.
"That will give us visibility of what's happening, and we will plug it into each managed device, and any IP address that is owned by the organisation, and anybody accessing those environments through our Active Directory will be captured in the flow," Newar said.
This will be complemented by the implementation of other zero trust 'engines' to analyse data flow and use AI-based policy engines to give greater visibility as to what is happening within the network.
Furthermore, Newar said the university will make use of a content delivery network to act as a reverse proxy and obscure its application stack from the outside.
"When a new zero-day vulnerability happens, all we have to do is rely on the specific vendor to roll out patching," Newar said.
While these investments will strengthen the data protection capabilities of the university, Newar said many of today's problems will continue to exist until all organisations think seriously about the data they are collecting and the impact that it has on users when it is stolen.
"The world needs to think about how you remove data such as birth dates and addresses from databases, and whether you can use another identifier, because once it is lost it is lost," Newar said.
"There needs to be a Y2K kind of effort globally."
Data Security Champion
Browse by Category
Click on the tiles below to see how each of the categories are responding to security threats in their sector.
Security Champions
The 2024 State of Security sponsors have worked tirelessly to improve the safety of enterprise and channel companies.
We are proud to present this year's State of Security champions, and showcase the work they do.
