Data loss continues to be a major issue for organizational security and compliance teams. In 2022 breaches included Plex losing over 15 million emails, usernames, and encrypted passwords 1, the Cash App attack by a disgruntled former employee who stole personal data on 8.2 million users 2, and the Shanghai National Police database hack which resulted in the release of personal data of 1 billion Chinese citizens 3. In the previous year, personal data on over 530 million Facebook users 4 was stolen and Lifetime Healthcare Companies paid a $5.1 million settlement 5 to the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) after a breach exposed personal data on over 9.3 million people.
In 2023, data protection will continue to be a leading concern in Board rooms across the world. Here are some trends we think security, compliance, and privacy professionals should be thinking about.
The EY Global Board Risk Survey 6 found that 84 percent of Boards do not believe their organizations have a highly effective risk management strategy. This is important from a strategic standpoint, of course. It is also important because security started getting more “personal” after the 2017 Equifax breach. The fallout from that attack included a reduction in the company’s market capitalization by over 30% and the forced retirement of the Chairman/CEO, CIO, and CSO 7. Today, poor cybersecurity oversight increasingly brings the threat of “Caremark claims 8” under which board directors can have personal liability for neglecting an organization’s risks, including cybersecurity. Breaches that negatively affected shareholder value led to Caremark claims against Marriott and SolarWinds 9.
We are producing more data than ever before and doing so across more applications. One estimate put the global amount of data created, captured, copied and consumed at over 64.2 zettabytes in 2020 10 projected to double by 2025. For comparison, one zettabyte is the same as 1e+12 gigabytes. Globally, over 124.5 billion 11 business emails are sent each day. On Slack alone, users transmit over 1.5 billion 12 messages each month: 50 million messages per day.
A remote workforce makes identifying this data more difficult, as users are creating data off the corporate network. Organizations can no longer depend on “castle and moat” strategies. Legacy approaches to identifying and protecting this data by pre-classifying everything in the enterprise will struggle to keep up in 2023. Data protection will instead migrate to the endpoint, classifying data in real time and enforcing controls off the corporate network.
Increased damages and loss ratios are forcing insurers to raise premiums and decrease coverage. Insurance prices increased 133 percent 13 in the fourth quarter of 2021, 110 percent in the first quarter of 2022, and 79 percent in the second quarter. Lloyd’s of London announced recently that its insurance policies will no longer cover nation state-backed cyberattacks. To ensure coverage, insurers are now demanding evidence of good cybersecurity practices.
Machine learning has long depended on transmitting information to the Cloud for processing. Data is at risk at endpoints and requires immediate action before it can be exfiltrated. This requires intelligence on the endpoints that can analyze all activity by all users to identify indicators of compromise before data is stolen. In 2023, we will see organizations adopt solutions that move this to the endpoints for faster processing to identify baselines and anomalies and enforcing controls.
The “assume breach” paradigm is an acknowledgement that an attacker will be able to gain a foothold in your organization. This could come from an unpatched vulnerability, a phishing attack, a malicious insider, or through the more than 24 billion stolen credentials 14 available on the dark web.
An attacker with legitimate credentials can be difficult to detect using legacy rules and a requirement to pre-classify data. Granular rules that dictate what actions every user is allowed to take with each class of data may not work. After all, these users appear to have permission to access the data they seek. Rather than using data loss prevention solutions as forensic tools by running in “monitor” mode, 2023 will bring increased demands for automated risk awareness on endpoints.
The “great resignation 15” and “quiet quitting 16” have made organizations more aware of the need to build trust relationships with the workforce to improve recruitment, retention and engagement. Far too often, data protection solutions lead employees to believe that management simply does not trust them. Intrusive monitoring feeds that sentiment.
In 2023 the shift to “privacy by design” will be key to successful data protection strategies. This will include technologies such as pseudonymization that mask an employee’s identity until circumstances justify unmasking. Privacy acts like the General Data Protection Regulation “recommend 17” pseudonymization. We expect other requirements to follow suit.
While we are on the topic of privacy, we will continue to see regulations expand. The California Consumer Protection Act (CCPA) was replaced by The California Privacy Rights Act 18 (CPRA) on January 1. This adds several obligations for organizations collecting consumer data, including:
o The right to request that a business delete any personal information about the consumer which the business has collected
o The right to correct inaccurate personal information
o The right to know what personal information is being collected
o The right to opt out of sharing of personal information
Other jurisdictions are getting in on the act as well. Legislation similar to the CPRA also took effect this year with the Virginia Consumer Data Protection Act 19 (VCDPA). The Colorado Privacy Act 20 (CPA) and Connecticut SB6 21 begin on July 1. 2023. The Utah Consumer Privacy Act 22 (UCPA) takes effect on December 31, 2023. In Quebec, Quebec Bill 64 23 builds on Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Data loss prevention was typically an issue for organizations managing large quantities of data. In an increasingly interdependent world, threat actors recognize that an organization’s “weakest link” may be the vendors and partners with whom it shares information. This is not a new problem. The 2013 Target Stores breach resulted from an employee of Target’s HVAC vendor 24 accessing Target’s network with a device previously infected in a phishing attack. In 2019 Cottage Health 25 paid a $3 million settlement to the U.S. Department of Health and Human Services when their IT vendor exposed information on over 60,000 patients.
In 2023, we believe organizations will demand their vendors and partners to share more evidence of the controls in place to protect sensitive information.
Companies who truly wish to act as guardians of personal data need to embrace that with great volumes of data comes great responsibility (and with it greater potential liability!). Legacy DLP solutions with convoluted, granular rules cannot adapt quickly and reliably to this challenge. In today’s “work from anywhere” world, users and data cannot always be under the control of the corporate network. Nor can organizations rely solely on cloud-based processing that can delay the identification and response to threats.
Instead, forward-thinking data owners are pushing the scope of data protection to their endpoints. This enables data owners and processors to dynamically identify and remediate threats to data, especially in a world where staff are geographically dispersed and sensitive data is increasingly processed both on and off corporate networks.
We’d love the chance to earn your trust. Next DLP believes that smarter people lead to safer data. Learn more about Next DLP and how we’re thinking differently about cybersecurity through our fireside chat program. If you like what you see, consider subscribing to our newsletter or talking with one of our pros about what Next DLP might do for your teams.