The weather has gotten colder, but data security risks are heating up.
Over the past few years, we’ve seen many changes in the cybersecurity landscape. AI and automation have both complicated and aided cyberattack prevention efforts. Ransomware attacks have increased and then decreased year-on-year. Remote work continues to complicate workplace data security.
ShardSecure has also changed over the past year, from the release of ShardSecure 2.1.0 to being named a 2023 Gartner® Cool Vendor in Privacy. Now, just in time for the holidays, we’re taking a page out of Scrooge’s book with a look at cyberthreats past, present, and future. We’ll explore how the digital landscape has evolved — and what we might expect in 2024.
Many kinds of cyberthreats don’t fade away so much as evolve to keep up with the changing landscape. For instance, although attack vectors have evolved from infected floppy disks to compromised USBs and emails, the modus operandi of malware hasn’t changed much.
Still, a few factors in the cybersecurity world have decreased significantly over the past several years. Here are two notable ones.
Cloud migration concerns
In the past, on-prem storage was widely regarded as the gold standard for businesses seeking to safeguard their data and applications. The reluctance to embrace cloud migration was deeply rooted in concerns surrounding data security, privacy, and the overall reliability of cloud services. The prevailing sentiment was that on-premises storage offered a greater sense of control and security, even if it meant sacrificing some of the scalability and flexibility that the cloud promised.
But hesitance over cloud migration has mostly evaporated over the past several years. The vast majority of companies now store at least some of their data in the cloud. According to one study, a full 94% of enterprises use cloud services, and 92% of businesses have implemented or are creating a multi-cloud strategy.
While some concerns about data security and privacy in the cloud persist, they’re no longer insurmountable barriers. Instead, there’s been a shift towards addressing these concerns proactively. Companies are now asking, “How can we migrate to the cloud securely and compliantly?” and even “What cloud architecture is best for our business goals?”
The lack of data privacy regulations in the United States
Data privacy advocates have long criticized the US for failing to pass a federal data protection law — especially after the bipartisan American Data Privacy and Protection Act failed to pass. Over the last few years, however, a patchwork of state data privacy laws has finally emerged to address the lack of comprehensive federal legislation.
Only 14 state-level data protection laws currently exist, but more are in the works. While some concerns have risen about the complexity of navigating each individual state law, the new legislation helps enshrine consumer data privacy rights and address the lack of federal legislation for over 40% of the American population.
You can read our deep dives into four of the new laws here:
- The California Consumer Privacy Act
- The Colorado Privacy Act
- The Florida Digital Bill of Rights
- The Texas Data Privacy and Security Act
We’ve seen a myriad of threats and risks this year, with several notable issues on the rise. Here are three of the top present-day cybersecurity concerns that organizations are contending with.
There’s a growing amount of data in the world. Around 2.5 quintillion bytes are generated each day, and the rate of growth is accelerating — compare the world’s 4.4 zettabytes of data in 2019 to 44 zettabytes in 2020.
More data certainly makes for more insights and better analytics, but it also means more opportunities for data breaches. The number of reported breaches in the US has more than quadrupled from 2012 to 2022, and over 422 million people were affected by data compromises, including data breaches, leakage, and exposure in 2022.
It’s not just the amount of data breaches that’s on the rise, either. The average cost of a data breach this year was around $4.5 million globally, a 15% increase over the last three years.
Ransomware has continued to be a formidable threat. There have been some signs of improvement, with one report showing that phishing links clicked by workers dropped 25% and ransomware attacks dropped 30% in the last year.
However, the rates of attacks are still sky high, with 66% of organizations hit by a ransomware attempt in the last year. Meanwhile, the average ransom in 2023 is $1.54 million, almost double the 2022 figure of $812,380.
One reason that ransomware remains a very present threat is its adaptability. Cybercriminals are able to continually refine their tactics, especially when they’re part of an organized ransomware gang or backed by a well resourced nation-state. The result is that ransomware has evolved to be both more sophisticated, with features that make it difficult to detect and prevent, and more accessible, with the emergence of ransomware-as-a-service (RaaS).
Complex regulatory environments
Data privacy and protection laws are making the online world safer and more secure for consumers. However, the rise of these regulations has added a great deal of complexity for both individual businesses and the cybersecurity sector as a whole.
The GDPR has issued some staggering penalties this year, most notably Meta’s €1.2 billion fine. Meanwhile, the 14 existing US state-level data privacy laws are producing a slew of slightly different regulations for companies that do business across the country. Many organizations are finding themselves in the position of having to comply with some state privacy laws (e.g. the broadly applicable Texas Data Privacy and Security Act) while not meeting the threshold for applicability with others (e.g. the Florida Digital Bill of Rights).
What’s coming in 2024 and beyond? We know that the future holds both new challenges and new opportunities for ingenious solutions. We anticipate that several data security and privacy issues will gain more prominence over the next year — and it probably comes as no surprise that artificial intelligence is at their core.
Artificial intelligence (AI) and machine learning (ML) are expected to be double-edged swords, empowering both defenders and attackers.
On the one hand, various AI and ML tools are being used by cyberattackers to aid sophisticated social engineering attempts, improve algorithms for guessing users’ passwords, and automate or enhance hacking activities like password cracking.
On the other hand, cybersecurity solutions are integrating AI/ML technology to detect threats, monitor data access, perform more accurate inventories of data assets, and even predict the risk of data breaches. Overall, we anticipate a continued power struggle between the malicious actors and the security experts as these tools develop further.
Threats to AI/ML models and training data
AI/ML models and training datasets are extremely valuable — and extremely vulnerable to industrial espionage, data tampering, data scraping, and ransomware. Their importance to companies and the ease with which they can be compromised mean that AI/ML datasets will require robust cybersecurity solutions. As the AI sector booms, we anticipate a high demand for data protection measures that can safeguard AI/ML training data against wide-ranging threats to confidentiality, integrity, and availability.
An even more complicated regulatory environment
The journey to GDPR compliance isn’t over yet. The exact mechanisms for meeting compliance are still in flux, with an anticipated Schrems III case likely to invalidate the new EU-US Data Privacy Framework and leave many organizations in limbo.
We’re also going to see more individual US state data privacy laws spring up. Seven states have bills currently undergoing the legislative process: Maine, Massachusetts, New Hampshire, New Jersey, North Carolina, Pennsylvania, Wisconsin.
Finally, we’re going to see more regulations around AI, complicating an already muddy landscape of compliance and data privacy efforts. In the US, the White House released a Blueprint for an AI Bill of Rights last year to guide future lawmaking. In the EU, the “Proposal for a Regulation laying down harmonised rules for artificial intelligence,” better known as the EU AI Act, seeks to establish consistent standards for AI systems across EU member states and will likely be adopted in early 2024.
In The Christmas Carol, the three ghosts taught Scrooge a valuable lesson. We believe that looking at past and present cyberthreats can also teach important lessons: the importance of strong data privacy and security, the necessity for flexible solutions, and the hope that a more secure digital landscape is on the horizon.
ShardSecure offers support for your organization’s data security, privacy, and resilience challenges, wherever your data resides. Our unified, multi-protocol platform can accommodate the complexity of hybrid- and multi- cloud architectures, and our innovative approach to file-level encryption safeguards data against unauthorized access. To learn more, visit our resources page or book a demo.