NIST Privacy Framework : Our Essential Data Protection Guide



Navigating Uncertainty Part 3: Data Loss Prevention Predictions for 2023

March 21, 2023

Data has become one of the most valuable business assets for organizations across all industries. However, this increased value also represents increased risk, and data loss prevention has become a major concern for businesses worldwide. An incredible 83% of organizations experienced more than one data breach in the last year, and the threat of data loss—through malice or accidental loss—only continues to increase.

This final piece of our three-part series on data privacy and security predictions highlights data loss prevention trends you need to be aware of in the coming year. We’ve included perspectives from various industry experts featured in our recent report. You can also read part one and part two of the series.

Many companies will continue to struggle to address data loss

“We will see more problems before we see implemented solutions as companies resist protecting what matters most in favor of trying to simply encrypt or secure the perimeter or the cloud.”
– Todd Feinman, Founder, Board of Directors at Spirion | Data Privacy & Security Report

Most security teams share a common goal: create the widest margin possible between their organization’s protected data and the risks that threaten it. What makes this challenging is that potential risks continue to fluctuate and evolve as cyberhackers become smarter.

There are multiple steps an organization needs to take to prevent data breaches. One of those critical steps that is often overlooked is sensitive data discovery. Since sensitive information can often come in the form of unstructured data, many organizations cannot accurately locate all of that data. This data could exist anywhere, from emails to voicemails or cloud storage platforms.

Organizations that are prioritizing data breach protection need the right tools to quickly find all forms of sensitive data, no matter where it lives, and automatically classify that data. Once data is discovered and classified, then the right measures can be implemented to protect, control, and remediate data as necessary.

Having visibility to key data points helps your team understand what can be done to prevent a breach and develop the best plan of action for remediation should a data leak occur. Additionally, if your organization experiences an unintentional data disclosure, your team will want to have a full view of why it happened so the proper measures can be implemented to prevent future breaches.

Once your team has created policies for data discovery, classification, and remediation, a lot of the heavy lifting is done. That is, if you are able to automate those procedures with your data breach detection tool. If you already know what factors will qualify a piece of data to be classified as sensitive and what remediation tasks need to be executed given certain triggers, then you should be able to automate those tasks.

By automating these tasks, you leave less room for human error. And with all of these automations working in real-time, your team can feel more secure knowing that workflows are always in motion.

Learn more in our guide to detecting and protecting dark data.

“(I anticipate) the continued growth of GDPR enforcement. In 2022, GDPR enforcement comfortably passed the €2.5 billion level, and there’s more to come.”
– Jonathan Armstrong, Partner, Cordery Compliance | Data Privacy & Security Report

A data breach of sensitive customer information can be a complicated and critical issue for companies. Preventing data breaches is important, but equally important is having a comprehensive data breach response plan—especially for breaches that involve highly-protected sensitive data.

Without a data breach response plan, organizations are left scrambling and often solely focus on remedying the situation. While preventing any further data loss and fixing the vulnerability is a top priority, there are other steps in the process that can take precedence.

If your organization experiences a data breach that affects customers based in the EU, then GDPR breach notification laws apply to you. According to the GDPR, an organization must report a data breach that involves personal data to a supervisory authority without undue delay and within 72 hours of becoming aware of the breach. Personal data, according to the GDPR, is any information that relates to or can be used to identify a person. This data can be as simple as a name and address.

Organizations must also notify data subjects of the breach without undue delay when the incident is likely to result in a high risk to the rights and freedoms of the persons affected. The method of notification can include direct messaging (such as email or SMS), prominent website banners, mailed letters, and prominent advertisements in print media. The notice must include, in clear and plain language:

  • The nature of the data breach
  • The likely consequences of the data breach
  • The measures taken or proposed to be taken to address the breach
  • Measures that may be taken to mitigate the breach’s possible adverse effects
  • Contact information of the data protection officer, or other point of contact, who can be reached for more information

In the United States, data privacy compliance laws currently apply on the state level. Five new “rights-based” privacy laws are going into effect in 2023, and many other states are considering similar regulations. All 50 U.S. states have some form of data breach notification law. In all cases, the consequences of not reporting a data breach can be significant.

When notification is necessary, most state laws dictate that organizations need to move quickly. It’s not uncommon to see a state require notification within 24 to 72 hours of becoming aware of the breach. Building out your data breach response plan, and execution of the plan, is critical.

On the execution side, consider the following questions:

  • Can we quickly pull real-time reports for leadership to assess if a data breach were to occur?
  • Can we easily find all data matched to the persons affected by the breach?
  • Can we quickly run automated remediation workflows to help prevent further data loss?
  • Can we match all identities and data to the appropriate regulatory categories to meet notification requirements?

A data privacy management tool can make it easier for security teams to move quickly when it comes to data breach response and notification. The Spirion Sensitive Data Platform is built with identity-centric data discovery, automated workflow control for remediation, high-powered analytics and data visualization for reporting, and cross-system support to make data breach response easier.

Ransomware attacks on vulnerable targets will become more prevalent

“Ransomware will continue to be a scourge, but we will see its expansion onto the geo-political stage in 2023. Ransomware will push more into the critical infrastructure that keeps our society humming”
– Cameron Ivey & Gabe Gumbs, Hosts | Data Privacy & Security Report

Ransomware has emerged as one of the most significant cyber threats to critical infrastructure and businesses worldwide. These damaging attacks occur approximately every 11 seconds and encrypt a victim’s data while demanding payment in exchange for restoring access to the files.

The reason ransomware is such a threat to critical infrastructure and businesses is that it can cause severe disruptions to operations, leading to significant financial losses and reputational damage. In many cases, cybercriminals target organizations with ransomware attacks because they know that their victims cannot afford to be without the encrypted data for long periods. Additionally, ransomware attacks can result in the theft of sensitive data, which can be used to commit identity theft or sold on the dark web. As the result of an attack, businesses may feel forced to pay the ransom to regain access to their data, which can not only be costly but may also encourage future breaches.

Many companies try to implement ransomware protection measures, but these solutions often fall short because they don’t focus on the data itself. The key to improving your organization’s security is to adopt a data-centric approach to security. This approach requires knowing where your data lives, along with relevant context.

A holistic data loss prevention strategy should cover all stages of the data lifecycle. To achieve this, organizations need to implement a set of tools and policies that are robust enough to protect their data from a range of potential threats.

Learn more about attack surface management with our guide to Spirion Data Risk Assessments.

More organizations will begin to take advantage of data loss prevention software

“Know your data better than the hackers, and bifurcate systems into the ones that have sensitive information and the ones that don’t, so security dollars can be spent where it matters most.”
– Todd Feinman, Founder, Board of Directors at Spirion | Data Privacy & Security Report

Data is constantly on the move across enterprises, and because of this, data security strategies are often an amalgamation of tools, platforms, and policies focused on keeping sensitive information safe while in motion. But that data has to rest eventually, and whether that happens on employee endpoint devices, networks, or in the cloud, it needs to be protected.

Why? Because despite data in motion being thought of as most vulnerable to threats, data at rest is actually the more frequent target. Unauthorized outsiders and malicious insiders can both recognize the value of targeting data at rest—it can be stolen in higher volumes, which equates to a higher reward.

Through the foundational step of data classification, data at rest can receive the degree of protection it requires. The added bonus of classification with persistent tagging is that these tags follow data when it begins to move, wherever it goes, so it can be secure in transit and at rest. When data is inevitably modified as it’s processed, its tags are updated to provide the most up-to-date context. When data encounters other tools in your security stack as it moves, such as those for enforcing access controls, encryption, or data loss prevention, its standardized tagging schema allows these tools to easily understand the data they’re dealing with. This enables them to work properly.

Take DLP tools, which protect and remediate sensitive data they’ve identified. If that data were to be wrongly labeled, or not labeled at all, it could be mishandled or disregarded by a DLP tool. With metadata tags attached to sensitive data that provide detailed context, DLP tools can effectively serve as attack surface management.

Businesses of all sizes need highly accurate, automated data classification with persistent tagging so sensitive data can be secured as soon as it enters the organization’s environment. With context-rich labels that are easily understood by other tools in the security stack, the entire threat surface can be protected.

Protect your attack surface with cutting-edge data loss prevention software

Managing your attack surface can often feel like an overwhelming task, but Spirion’s Governance Suite can simplify your approach to data loss prevention.

This comprehensive platform combines all of Spirion’s data security and privacy products, providing a powerful solution that is still customizable to your organizational needs. The Governance Suite accurately discovers data in any location, uses automated classification to maximize efficiency, and ensures compliance with even the most stringent regulatory policies.

By taking a proactive approach to data loss prevention, your organization can better protect itself from financial and reputational harm. To better understand the power of the Governance Suite, see a demo of the product in action. You can also contact us to speak with a data security expert who can answer your data loss prevention software questions.