Companies aren't 'owning' their data

With a rapidly developing threat landscape, an increase in high-profile data breaches, the introduction of new legislation, and customer tolerance for poor data handling at an all-time low, the stakes are high for companies to have robust cybersecurity in place. However, despite their best efforts, companies are often found to not be doing enough to protect their assets.

Often, this is due to a case of ‘too much, too fast’. As businesses invest in new technologies, their day-to-day operations are being supported by ever more complex and fragmented technology platforms. At the same time, the amount of customer data available to them is growing and constantly streaming in, and bad actors are consistently launching more sophisticated attacks. Meanwhile, leaders are not fully aware of or own responsibility for their cybersecurity plans. As the digital world evolves with new threats and regulations, business leaders must recognize the importance of data protection. If they do not, they cannot adequately protect their customer's data and are in danger of losing their trust and even their continued existence in business.

Securing the Gold Mine

Data is the most valuable resource for any company, and for maintained business growth and development, it is gold. It allows C-level executives to review initiatives and make real-time decisions, predict future outcomes, identify business risks, and incurs a heavy cost if ever breached. In fact, IBM’s most recent Cost of a Data Breach Report states that the average cost of a UK data breach has increased by 5 percent in 2024 to reach £3.58 million.

However, many companies are unable to identify or locate their important data. As it is fluid, it is constantly streaming in and flowing throughout the entire company, meaning it can potentially be accessed -- and saved -- by anyone in the organization. Integrating new technologies to improve workflows and capitalize on data without careful consideration can further complicate this. For example, once data is uploaded to the cloud, companies effectively lose control of it. It can be copied and moved without permission and cannot be personally deleted. If the data is uploaded in its raw state, and considering the type of cybersecurity cloud platforms provide, this is essentially a data breach waiting to happen.

As such it is essential that business leaders recognize the value of their data and take the appropriate steps to keep it secure. The first step in data-centric security is to classify data according to privacy standards, such as if it’s personal or sensitive data as opposed to non-sensitive data. Once identified, the sensitive data can be protected with the application of Privacy Enhancing Technologies (PETs) to anonymize data. Data-centric security measures such as this serve to ensure that even when a breach occurs, no sensitive information will be at risk, and companies can keep their customer trust and reputation intact.

Data Sharing

A lack of data responsibility and ownership can lead to complications regarding sharing and accessing data. In some companies, data is often available for any employee to freely access. This creates two risks: the first being that should an employee fall victim to a phishing attack, a bad actor can then freely access everything the employee can; and second, employees can save the data and use it for their own use. This doesn’t necessarily have to be for malicious purposes. For example, employees can run the data through public platforms, such as ChatGPT, to save time and ensure accuracy with their tasks. Unbeknownst to them, the data can be saved to the public platform and potentially breached. Putting in place a zero-trust framework would mitigate this risk: ensuring employees only see data relevant to their workloads.

Sharing data with other units, partners, and suppliers without being familiar with their cybersecurity posture can also put important data at risk – and put companies at risk of being in breach of their own policies. Further, data in motion from one secure location to another is at increased risk of being intercepted by bad actors. In all instances data should be secured through encryption, however, de-identifying data with pseudonymization and anonymization provides comprehensive protection whilst the data is in motion.

Following the EU’s new NIS2 regulations which are soon to come into effect, and the UK’s plans to introduce a similar bill, companies will also soon find that sharing data across borders will become more complex and demand increased data privacy. This also provides a clear message that authorities and customers are taking data privacy seriously, and companies would be wise to follow suit to avoid further complications and hefty fines. Opting for a data protection platform with a provider that remains abreast of changing regulations can ensure evergreen compliance with cross-border data flows. Data protection platforms also serve to anonymize data and keep it secure at rest, in motion and during consumption.

Security Awareness

Whilst businesses should always be focused on growth and innovation, it is essential to also be aware of their current tools. A lack of familiarity with a business’ pre-existing cybersecurity team and policies can cause a host of detrimental issues. This adds responsibility onto CIOs and CTOs rather than being shared through the company, putting companies at risk of alienating and ultimately losing cyber talent.

Considering the current cyber talent shortage, this is something companies cannot afford to do. The workload of cyber talent is also increasing exponentially as companies integrate new competitive technologies without carefully considering cybersecurity measures, which can negatively impact progression and overall security. For example, whilst integrating AI should jettison a business forward, if cybersecurity and data security aren’t considered it can instead drag a business backwards. LLMs increase the attack surface, and if they are irresponsibly trained with data in its raw state (rather than anonymized), then valuable data will be breached, and cost companies millions in lost customers. Cyber teams must be equipped with the appropriate data security measures to support business growth.

As such companies should be aware of their cybersecurity plans and materials. The word ‘cybersecurity’ should not be assumed to be a magic bullet -- nor should it be assumed that any two products provide the same amount of cybersecurity. Instead, multiple solutions should be layered throughout an organization’s network to effectively control and mitigate risks at every level. For example, the cybersecurity of a cloud platform should be regarded as the protection of a city: effective enough, but not guaranteed to protect your home from theft. Integrating further measures can metaphorically provide a gated community and home alarm system. Here, a data security platform can be viewed as the vault that stores the valuable data: so that when a bad actor breaks through the other defenses, they still can’t access the company’s assets.

It is unrealistic to expect business leaders outside of the cybersecurity world to fully understand the complexities of cybersecurity. However, it is a business leader’s responsibility to understand the importance of data privacy and remain aware of the company’s cybersecurity processes. Leaders must provide their Cyber talent with the resources required to support innovation, ensure compliance, and keep ahead of the threat landscape. Awareness breeds responsibility and accountability, which will ultimately enhance data security and maintain customer trust.

Image credit: Rawpixel/depositphotos.com

Alasdair Anderson is VP at Protegrity.