NIST Privacy Framework : Our Essential Data Protection Guide

Close

BLOG

Navigating Uncertainty Part 1: Data Breach Predictions for 2023

BY SPIRION
March 7, 2023

If there’s one thing data privacy experts agree on about the data security landscape in 2023 it’s that nothing is certain. Navigating this uncertainty is key to crafting an effective data security strategy and leading your organization successfully. To help you achieve this, we have gathered industry predictions and expert advice from our recent report and crafted into a bite-sized, three-part series that sums up the three biggest trends identified by our experts.

In our first installment, we summarize our experts’ data breach and regulatory compliance predictions of the year.

Data breach costs will continue to increase

“Organizations will struggle to shift from reactive ‘if” or “when’ to the proactive reality of ‘how often’ they’ll have to deal with data-related incidents. Vendors for years have said it’s not if you’ll be breached, but when.”
– Kevin Coppins, CEO of Spirion | Data Privacy & Security Report

The predictions above from 2022 held up all too well. IBM’s Data Breach Report 2022 revealed that an astonishing 83% of organizations experienced more than one data breach in the last year alone. 

The average cost of a breach has also reached a historic high of $4.35 million. For many companies, however, the costs can be much higher, including business disruption, reputational and brand damage, ransomware payouts, and more, with costs accruing over several years.

As of October 2022, 1,291 data breaches were reported. 44% of those included personal customer information (such as name, email and password). This led 60% of organizations to increase prices passed down to customers.

Pressure will rise on security teams due to data breach disclosures

Data security teams will continue to experience increasing pressures due to evolving regulations related to disclosure rules. The SEC continues to float new disclosure rules that will reduce the time in which companies must disclose a data breach to a mere four days after deeming it material. Data breach response teams already react rapidly at most organizations after a data breach notification or cybersecurity incident. However, Chief Information Security Officers (CISOs) today are initially most focused on corporate data and systems impacts. Going forward, CISOs will need to have board-level conversations within a day or two of discovering the breach to determine whether the incident is material and must be disclosed.

If enacted, such rules will make cybersecurity disclosures and data breach response a board-level topic. Companies will also have to report on the board of directors’ cybersecurity expertise. These changes will transform enterprise security investments into a strategic priority but come with significantly tighter deadlines and increased consequences for noncompliance.

Rising costs (and consequences) of data breaches

“Many companies will not be able to obtain cybersecurity insurance in 2023, as underwriting diminishes or disappears entirely. Consequently, greater financial resources for self-insurance will need to be allocated in budgets.”
– Stuart N. Brotman, Distinguished Fellow, The Media Institute | Data Privacy & Security Report

The consequences of a data breach can be catastrophic. A data breach can result in significant financial ramifications, reputational fallout, or even a complete loss of access to business-critical data, effectively preventing your organization from operating until the demands of the hackers are met.

Since 2018, 1,421 organizations have been fined 2.7 billion Euros for data security non-compliance. The average cost to an organization that doesn’t comply with data protection regulations is $14.82 million.

The harm caused by a data breach can also be far-reaching. For governmental organizations, compromised data can expose highly sensitive information to foreign agencies or other bad actors. This could include information about foreign policy dealings, military movements, or state secrets.

Individuals who experience a data breach can fall victim to identity theft, resulting in fraudulent dealings in their names. This can cause financial ruin and legal entanglements that are difficult to navigate.

Breaches experienced by businesses that house customer data can also face numerous ramifications, not only reputational or financial, but regulatory. Data breach notification laws must be adhered to or fines could be imposed.

In 2023, these impacts will be felt more keenly, as there’s a lot at stake when it comes to securing data. As data breaches become more frequent (and costly) cybersecurity insurance will become increasingly difficult to obtain. Companies will need to begin self-insuring or budgeting accordingly for the risks of non-compliance.

Proactive mitigation measures like compliance automation will be used more frequently to ensure organizations are doing everything possible to protect sensitive data as a breach occurs. In turn, this can eliminate certain risk vectors right off the bat — potentially preventing, or at least lowering the frequency of, breaches — while also significantly lessening a breach’s impact on an organization.

Shift from data breach punishment to standardized data privacy management

“In 2023, governments will shift their data privacy focus from data breach punishment to regulating the architecture of data and identity management. This will force international efforts to standardize best practices that will evolve with innovation.”
– Joseph J. Dehner, International Attorney and host of the Data Privacy Detective Podcast | Data Privacy & Security Report

Five new states implemented robust data privacy laws in early 2023, and this trend is expected to continue. Many more states are still in the drafting and development phases of similar bills, and there is a much-debated federal privacy law wending its way through congress. As momentum for data privacy regulations and enforcement builds, governments are expected to shift their focus from punitive measures to standardizing and regulating data and identity management.

With so many evolving regulations, organizations will find compliance a challenge, especially if they aren’t yet taking a data-centric approach to security and privacy. This means finding and classifying data wherever it lives. Only through this approach can an organization equip themselves to meet compliance requirements while remaining flexible enough to adapt to the changing regulatory environment.

A large portion of the financial impact brought on by data breaches comes from noncompliance fines. In maintaining compliance through intelligent automation, companies will be in a good position to defend against a data breach. When a data breach does occur, the relevant regulatory agencies will audit its events and specifically look to ensure compliant safeguards were enacted. If so, this could diminish the penalty.

More organizations will adopt compliance automation software

“2023 will be the year we see more and more businesses taking stock of their data and learning where it is in order to spend wisely on how to best control and protect it.”
– Todd Feinman, Founder, Board of Directors at Spirion | Data Privacy & Security Report

It takes multiple steps to prevent data breaches, from fixing vulnerabilities with data loss prevention solutions to updating encryption keys to conducting drills. And if you were to conduct a gap analysis of a typical breach preparation plan, one critical step would likely be missing from the list: identifying all of the sensitive data located across an enterprise — from emails to endpoints.

The reason for this gap in data discovery is that most organizations don’t have an accurate and dependable way to find their critical, sensitive data in all of the multitudes of places it may exist. Without knowing where sensitive data lives across the enterprise, organizations are at a disadvantage in the war against data breaches.

To meet the new data privacy demands, enterprises need to up their game by filling the gaps in their data breach preparation. Advanced technologies that deliver accurate data discovery, classification, and control add a critical weapon to your organization’s data breach arsenal, giving you a fighting chance to defend data security and privacy. Internal processes about what needs to happen in the event of a data breach, from data breach notifications to disclosures and data breach reporting, should also be put into place.

Compliance automation uses regulatory standards and an organization’s own unique security policies to apply safeguards, access controls, and typical behavior patterns to sensitive data. In terms of preventing a breach, compliance automation software does away with the need for manual handling of essential security processes like sensitive data discovery, classification, and remediation. That alone blocks a common source of breaches from entering the picture.

In terms of mitigating the impacts of a breach, automation can reduce detection time, data loss, and containment time — plus the financial repercussions all of these can have on your business — as well as regulatory fines.

Without any security automation in place, the average detection time across all 2022 breaches was 277 days. Organizations with automation that quickly detected atypical behavior within data incurred significantly lower costs. In fact, security and compliance automation tools have been shown to reduce data breach costs by up to 80%.

Here’s a look at the key functionality of compliance automation and how it minimizes other components that could drive your post-breach bill up:

  • Accurate data discovery lets you know what sensitive data you have and where it’s located, so you know which data to prioritize in your security strategy, what your risks are, which regulations you’re at the mercy of, and finally, how to secure data per your own internal policy as well as regulatory requirements.
  • Consistent data classification ensures that every piece of discovered data is categorized with a standardized tagging system, based on criteria like its level of sensitivity or risk and the regulations it’s subject to, so the proper security measures can be applied and enforced. This capability allows permissions to be created that only give essential personnel access to sensitive data. When a breach occurs, having a limited number of users to trace it back to can speed up detection and containment.
  • Active monitoring uses pre-build queries, customizable incident definitions, and machine learning to identify normal behavior patterns within files of sensitive data. This way, when atypical behavior occurs, such as a compromised account accessing sensitive data they normally wouldn’t or at unusual hours of the day, security teams can be immediately notified with detailed reporting to understand the incident and quickly respond.
  • Intelligent remediation safely disposes of outdated and inaccurate data per regulatory retention rules. Not only does this data’s existence violate compliance, but it’s also vulnerable to unauthorized attacks. When data is modified or otherwise compromised, automated remediation can help cut down time and costs associated with containment and remediation processes.

Sophisticated ways organizations are ensuring compliance

Many organizations will move forward to adopt a data-centric approach to data security that embraces the strictest regulations so they do not have to worry about compliance on a state-by-state (or country-by-country) basis. One company that does just this is The Motley Fool, a private financial and investing advice company that uses a diverse range of IT systems and storage solutions. Team members are not restricted on where they can save data, making regulatory compliance measures a challenge.

Solutions that focused only on structured data or securing data in motion could not address the organization’s challenges. The Motley Fool estimated that at least half of their sensitive data is unstructured.

“We considered a couple different solutions,” says Jeff Lovett, Head of Cybersecurity Operations for The Motley Fool, “but they could not provide the complete coverage that Spirion provided, especially with the diverse environments we use.”

Powerful and sophisticated solutions like those provided by Spirion can help organizations adhere to the strictest of compliance regulations, making compliance with the patchwork of new and emerging data compliance regulations much more seamless. They can also protect data wherever it resides, giving organizations deep insights into not only what data they have, but also its sensitivity level. This is critical knowledge in the event of a data breach and can guide organizations in determining next steps.

Explore more about data breaches in our report: Definitive Guide to Data Breaches.

Arm yourself for an uncertain future with Spirion’s Data Governance Suite

In today’s fast-paced and deeply interconnected world, a data breach event isn’t a matter of “if” but “when.” Is your organization prepared with automated data security management and data breach protection tools? Spirion’s Governance Suite can simplify the data protection process. It also equips you to understand what data was accessed and its sensitivity level. The Governance Suite combines all of Spirion’s products to help you build a proactive security and privacy posture that’s customized to your business needs and can help your organization stay in compliance with even the strictest privacy laws.

See the demo for a first-hand look at Governance Suite in action. Or, contact a member of our team for personalized answers to your unique business questions.