There is no doubt that managing data privacy and compliance risks becomes increasingly difficult year on year. Cybercriminals continue to evolve their strategies and approaches, making it more difficult to identify, stop, and mitigate the damages of malicious attacks. This has made managing the privacy and compliance of sensitive content communications a difficult undertaking for many businesses and has led to several serious data breaches this year. But what are the key issues to look out for in 2024?
The risk of AI LLMs
Despite bans and restrictions, the number of employees and third parties using generative artificial intelligence (GenAI) large language models (LLMs continues to rise as the competitive advantage of them becomes too significant to ignore. Unfortunately, this will lead to the threat surface expanding in 2024 and potentially sensitive content to be exposed.
Even with advances in security controls, data breaches stemming from GenAI LLM misuse will only rise in 2024. High-profile examples threatening customer trust and drawing regulatory scrutiny are likely. This will force data security to be a central part of GenAI LLM strategies moving forward. Organisations slow to adapt will face a damage to brand reputation, lost revenue opportunities, potential regulatory fines, and litigation costs.
A shift of approach for MFTs
Managed file transfer (MFT) tools are used in many businesses for the digital transfer of data in an automated, reliable, and supposedly secure manner. However, many are based on decades-old technology that have inherent security deficiencies. This has led to is
witnessing a spiralling escalation of cyberattacks on the software supply chain over the past few years by rogue nation-states and cybercriminals.
Two major MFT tools experienced zero-day exploits in 2023. In both instances, multiple zero-day vulnerabilities were targeted; a remote code execution (RCE) in the case of Fortra GoAnywhere that impacted over 130 organisations and a SQL injection in the case of MOVEit that affected over 2,000 organisations and 62 million individuals. If these MFT attacks in 2023 are any indication, rogue nation-states and cybercriminals will continue to exploit zero-day vulnerabilities in legacy MFT solutions in 2024.
Email will remain a major attack vector
Email remains the number one attack vector and shows no sign of losing its place. Malware attacks instigated through email shot up 29% in the past year, while phishing attacks also grew 29% and business email compromise (BEC) spiked 66%. In fact, more than eight in ten data breaches now target humans as their first line of access using social engineering strategies.
Like with legacy MFT solutions, many legacy email systems lack modern security capabilities. Until organisations embrace an email protection gateway where email is sent, received, and stored using zero-trust policy management with single-tenant hosting, email security will unfortunately remain a serious risk factor.
Morphing regulatory standards
Regulatory bodies will continue evolving data privacy regulations in 2024 and continue to ratchet up their fines. Recent major fines, like those against Marriott and British Airways under GDPR, were in large part due to lapses in data security. This precedent indicates
regulators will come down hard on any company that negligently exposes personal data. In 2024, businesses will, more than ever, need to track and control content access and generate audit log reports to demonstrate compliance.
It is not going to go away. In fact, Gartner predicts that personal data for three-quarters of the world’s population will be covered by data privacy regulations by the end of 2024, and the average annual budget for privacy in a company will rise to over $2.5 million.
Rising importance of data sovereignty
The need for increased data localisation is a growing trend that will make data sovereignty a challenge for organisations in 2024. Many emerging privacy laws require organisations to control the country where data resides, which can prove to be a significant challenge. At the same time, data democratisation, the practice of making data accessible and consumable for everyone in an enterprise regardless of technical skill, is a trend that will also impact data sovereignty.
Data sovereignty empowers organisations to maintain compliance with local and international data regulations, which minimises legal risks, establishes a reputation for responsible data handling, and helps companies avoid hefty fines. By prioritising data sovereignty, organisations can build trust with customers and stakeholders, enhance brand reputation, and avoid costly legal issues.
The increased use of DRM to protect sensitive content
Challenges surrounding the handling of large files containing sensitive content will become increasingly pressing for organisations in 2024. Digital rights management (DRM) adoption will accelerate as organisations aim to protect sensitive content with robust solutions to
ensure they can comply with expanding regulations. For 2024, data classification and DRM policy management will drive organisations large and small to institute data protection using least-privilege access and watermarks for low-risk data, view-only DRM for moderate-risk data, to safe video-streamed editing that blocks downloads and copy and paste for high-risk data.
Time to hit the reset button
In 2024, businesses will be under heightened strain to protect confidential data amidst escalating cyber threats and to ensure adherence to burgeoning international regulatory standards. It is time for organisations to look at alternatives.
By adopting zero-trust architectures, detailed security models based on content, strong access management, integrated DRM, DLP, and other leading-edge security measures, organisations can mitigate risks and uphold compliance. It is time for organisations to hit the reset button on their sensitive content communication strategies and work to ensure they have the right technologies in place to protect their communications.
Tim Freestone joined Kiteworks in 2021 and brings over 15 years of experience in marketing and
marketing leadership, including demand generation, brand strategy, and process and organisational optimisation. Tim was previously Vice President of Marketing at Contrast Security, a scale-up application security company. Before Contrast, Tim was the Vice President of Corporate Marketing at Fortinet, a multi-billion-dollar, next-generation firewall and cloud security company. Tim holds a Bachelor’s degree in Political Science and Communication Studies from The University of Montana.