The hidden risk of shadow data and shadow AI results in increased expenses associated with data breaches.
Defense-in-depth and resilient security stacks and architecture are common for security leaders. This approach still applies, although data-first security may be worth considering. Modern use cases necessitate data management where data is the core asset that must be protected throughout its lifecycle, usage, and disposal. The 2024 Cost of a Data Breach Report supports a data security paradigm shift.
The report examines breaches at 604 organisations in 17 industries worldwide and their causes, costs, and recovery. Some intriguing trends in security, privacy, governance, and regulation may help solve the data issue. The drive to provision new generative AI (gen AI) programs and bring them to market quickly, leaving security concerns behind, raises dangers in all three areas. An alarming executive poll on gen AI security found that only 24% of new efforts integrate security.
A gloomy data voyage
Companies today rely heavily on data. Data is king, yet it is not managed or safeguarded enough to meet its importance and the potential impact of data loss. Data, the data journey, and protective concepts around its lifecycles contributed to data breach costs.
Multi-cloud hopping
The amount of data today demands organisations to move beyond on-premise and private cloud infrastructures. Data volume scalability and growing traffic and workload needs are the factors. According to the Cost of a Data Breach Report, 40% of breaches involved data stored in several cloud settings. Public cloud breaches cost the most, at USD 5.17 million.
This is happening why? Multi-cloud’s decentralised structure makes data visualisation and control difficult, and in the event of a breach, it takes longer to gather information, investigate, and activate cloud provider help. Scale means more data is broken at once in clouds, which may increase consumer damage and recovery costs.
Shadow data
Data is everywhere, and 35% of breaches this year involved unmanaged data sources, or “shadow data.” This resulted in data not being adequately classified, safeguarded, or handled within the organisation. Since 25% of shadow data breaches occurred on premises, this certainly indicates unmanaged risk in data governance, privacy, and regulatory effect.
Shadow data breaches averaged 291 days to find and contain, 26.2% and 20.2% longer, respectively. This led to higher breach costs averaging USD 5.27 million when shadow data was involved, but the spillover effect of breaches to others in the ecosystem, potential contractual issues, and lawsuits add up to 2-3 years after the breach.
No classification, no security
Poor inventory and cataloguing lead to improper classification and protection of data. That could have been restricted or confidential data, leading to the report’s following figure. Breakins gave attackers more sensitive data, increasing IP theft by 26.5%. Lost IP cost USD 173 per record in 2024, up 11% from USD 156 in 2023.
For now, ignore that high expense. IP theft can cost a company its competitive edge. Strategic IP could cost it market share and income. Most companies are creating innovative gen AI applications they plan to exclusively monetise, thus this figure should worry shareholders.
Deficient data protection costs business and reputation damage USD 1.47 million, accounting for most of the 2024 breach cost rise.
Shadow data, Shadow models, AI
As emerging AI becomes the new gold rush, stakeholders can expose the organisation to uncontrolled risk from unsanctioned data, models, and AI use. IT and security personnel may not notice these uses, which can lead to serious incidents.
Multiple third-party datasets for AI deployment are another danger issue. External sources can cause poisoning and vulnerabilities if not monitored by the security team. Shadow models and volumes of unencrypted training data pouring into and out of cloud environments are increasingly dangerous.
Imagine a healthcare organisation employing gen AI to find chest x-ray irregularities. Images are sent to a cloud model for results but are not secured. An attacker steals photos and demands a ransom from the healthcare provider. Same with plaintext or any unprotected data that should be safeguarded. Do not be shocked if affected data subjects sue immediately.
Payment for data security is advised
Most companies will lose practically all productivity without data. From employee productivity to data-driven organisations, companies do not consider data a byproduct. For ongoing innovation and corporate growth, organisations link culture, organisation, and technology around data. It makes sense to manage and safeguard data according to its classification using the relevant technology.
Encrypt
Encrypt, classify, identify. Better data protection reduces attackers’ leverage in a data breach. Data subjects will be less affected and regulatory fines may decrease. Encrypt wisely. Not all data is equal. Learn how to encrypt photos and other data so your company can use it securely and benefit from it.
As your company innovates and uses more data, encryption becomes more vital. Confidential computing and post-quantum encryption can protect your data in the future.
Go DSPM
Since data is dispersed across environments and often exposed, data security posture management can help restore control. Cybersecurity technology DSPM identifies sensitive data across many cloud environments and services and assesses its security and regulatory compliance risk. Security teams can utilise DSPM to safeguard data directly instead of devices, systems, and applications that store, transport, or process it.
Gen AI data protection rethink
Due to the magnitude and use of data in gen AI solutions, organisations must rethink their data lifecycle and how to protect it in all its forms. Consider protecting training data from theft and modification. Organisations can find sensitive training or fine-tuning data via data discovery and categorisation. They can also secure data via encryption, access management, and compliance monitoring. Protect sensitive AI training data, gain visibility into unsanctioned or shadow AI models, malicious drifts, AI misuse, and data leakage by extending posture management to AI models.
Adapt to regulations
Data privacy regulators have strict data use rules. In AI-enabled systems and scenarios, data demands are becoming increasingly complex. This means that typical data protection may not be enough and may require increased classification, protection, monitoring, auditability, and oversight.
Better security, insights
The 19th annual Cost of a Data Breach Report gives IT, risk management, and security leaders timely, quantified facts to guide strategic decisions. Teams can better manage risk and security investments. The findings this year reflect the data breach experiences of 604 organisations and 3,556 cybersecurity and business leaders. Download the report for real-world examples and professional advice on risk mitigation.
