Given the widespread distribution and exposure of data, regaining control is critical. Data Security Posture Management (DSPM) is a cybersecurity technology that identifies sensitive data across multiple cloud environments and services, assessing its vulnerability to security threats and regulatory non-compliance. Rather than securing devices, systems, and applications, DSPM allows security teams to focus on protecting the data itself.
Security leaders have long been focused on the concept of defense-in-depth, ensuring their security infrastructure is resilient and provides comprehensive protection. While this approach remains important, it’s time to consider a shift towards data-first security. This new paradigm emphasizes the importance of managing and protecting data as the central asset throughout its entire lifecycle—from creation to usage and eventual disposal. This evolution in data security is underscored by findings in the 2024 edition of the Cost of a Data Breach Report.
A Paradigm Shift in Data Security
The report offers a deep dive into the causes, financial impacts, and recovery processes following data breaches at 604 organizations worldwide, spanning 17 industries. The findings reveal crucial trends that can help organizations better navigate the complexities of data security, particularly in relation to security, privacy, governance, and regulation. One alarming trend is the elevated risk associated with the rapid deployment of new generative AI (gen AI) initiatives, where security considerations are often overlooked. According to a recent executive survey, only 24% of new gen AI initiatives include a security component.
The Data Journey in the Dark
Data has become the most valuable asset for modern businesses. However, despite its significance, data management and protection are not always up to par. Let’s explore some key factors that have contributed to the rising costs associated with data breaches, focusing on the data journey and the protection paradigms throughout its lifecycle.
Multi-Cloud Hopping
As data scales, organizations are increasingly moving beyond traditional on-premise and private cloud infrastructures to multi-cloud environments. This shift is driven by the need for scalability in data volume, traffic, and workload demands. The Cost of a Data Breach Report notes that 40% of breaches involved data stored across multiple environments, with public cloud environments incurring the highest average breach cost of USD 5.17 million.
Why is this happening? The decentralized nature of multi-cloud environments complicates data visualization and control. In the event of a breach, it takes longer to gather information, investigate, and activate the cloud provider’s support to contain the breach. Additionally, the sheer volume of data in these environments means that more data is at risk, leading to greater customer impact and higher recovery costs.
Shadow Data
Data is now more dispersed than ever, with 35% of breaches involving data stored in unmanaged data sources, often referred to as “shadow data.” This data is typically not classified or protected properly, and its lifecycle within the organization is not managed effectively. Interestingly, 25% of breaches involving shadow data occurred solely on-premises, highlighting gaps in data governance, privacy issues, and regulatory compliance risks.
Breaches involving shadow data took an average of 291 days to identify and contain, with costs averaging USD 5.27 million. However, these figures only represent the initial impact; the long-term costs, including contractual issues and potential lawsuits, can continue to accumulate for years.
Unclassified and Unprotected Data
When data is not properly inventoried and catalogued, it cannot be classified correctly, leading to inadequate protection. This often includes data that should be tagged as restricted or confidential. The report reveals a 26.5% increase in IP theft, with the cost per record rising from USD 156 in 2023 to USD 173 in 2024—a rise of 11%.
The implications of IP theft extend beyond financial loss. Organizations may lose their competitive edge, market share, and potential revenue, particularly if they are developing innovative gen AI applications expected to generate exclusive profits. The average cost of lost business and reputation damage rose to USD 1.47 million, contributing significantly to the overall increase in the cost of a breach in 2024.
Shadow Data, Shadow Models, Shadow AI
In the current gen AI gold rush, various stakeholders within an organization may inadvertently expose it to unmanaged risks related to unsanctioned data, models, and AI usage. These risks often go unnoticed by IT and security teams, leading to potentially significant incidents.
Another risk arises from datasets used in AI implementation, sourced from multiple third-party providers. When these sources are unmanaged by the security team, they can introduce risks like data poisoning and vulnerabilities. Even more concerning are shadow models and the vast amounts of unencrypted training data moving into and out of cloud environments.
Consider this scenario: a healthcare organization uses gen AI to identify anomalies in chest X-rays. The images are sent to a cloud model for analysis, but they travel in an unencrypted form. If an attacker gains access to these images, they could extort the healthcare provider. Similar risks exist for plaintext or any other unprotected data that should be better secured. Such incidents could quickly lead to lawsuits from affected individuals.
Webinar: Top Insights from the Cost of a Data Breach
Recommendations: Pay Data Its (Security) Dues
For most organizations today, losing access to data would cripple productivity. Data is no longer a by-product of business; it is the primary asset that drives culture, organization, and technology. As such, it must be managed and protected according to its classification, using the appropriate technologies.
Encrypt Your Data
Start by identifying, classifying, and encrypting your data. Properly protected data reduces the leverage attackers have in the event of a breach, leading to less impact on data subjects and potentially lower regulatory fines. Not all data is the same, so tailor your encryption strategies to fit your organization’s specific needs. For example, if your organization uses images or other specialized data types, explore advanced encryption methods to ensure secure usage.
The more innovative your organization, the more crucial encryption becomes. Consider adopting confidential computing and post-quantum encryption to safeguard your data both now and in the future.
Adopt Data Security Posture Management (DSPM)
Rethink Data Protection in the Gen AI Era
As data scales and gen AI solutions evolve, organizations must reconsider their data lifecycle and how to protect it at every stage. Secure your training data by preventing theft and manipulation. Use data discovery and classification tools to detect sensitive data used in training or fine-tuning AI models. Implement robust data security controls, including encryption, access management, and compliance monitoring. Extend these protections to AI models to safeguard sensitive training data, detect unauthorized or shadow AI models, prevent malicious drifts, and avoid data leakage.
Adapt to Regulatory Demands
Data usage is subject to extensive regulatory requirements, which are becoming increasingly complex, particularly for AI-enabled solutions. Traditional data protection methods may no longer suffice, necessitating enhanced classification, protection, monitoring mechanisms, and improved controls for auditability and oversight.
Better Insights, Better Security
Now in its 19th edition, the Cost of a Data Breach Report provides IT, risk management, and security leaders with timely, actionable insights to guide strategic decision-making. The 2024 edition includes data from 604 organizations and 3,556 cybersecurity and business leaders who have experienced data breaches. Download the report to empower yourself with real-world examples and expert recommendations on mitigating risks and strengthening your security posture.