Jeff Warren, Senior Vice President of Products at Netwrix, highlights the top three data security challenges and explains how organisations must mitigate their risk.
Technology, cybercriminals, and data privacy legislators never stand still. For example, an attacker who compromises a single device now needs just 102 minutes to move laterally within the corporate network, and 29 new data privacy bills were considered in the US alone during the 2022 legislative cycle.
The speed of change puts a serious onus on organisations to keep up. To help, this article identifies three key challenges businesses will face this year and provides advice on how to mitigate your risk and bolster data security.
1. Ransomware will become an even more pressing threat
Ransomware is a real and evolving threat to data security and data privacy for public and private organisations alike. Ransomware threat actors look to gain an initial foothold in a network, commonly via a vulnerable internet-facing system or weak application settings. Then they set out to hijack legitimate user credentials and move laterally across the network, compromising additional accounts and tools in order to access as much sensitive data as possible to use as leverage in their ransom demands.
We have identified several ransomware trends that are likely to cause headaches for IT security leaders this year:
- Ransomware is evolving fast: Lockbit 2.0 emerged in 2022, but soon after patches to defend against it were released, Lockbit 3.0 appeared. Indeed, one-third of recently observed ransomware attacks targeting industrial organisations and infrastructures were tied to Lockbit 3.0. Other leading ransomware groups are following suit, quickly developing new strains that share commonalities with previously identified ransomware; examples include Black Basta (first spotted in April 2022) and BlackCat (first spotted in November 2021). These groups are likely to continue working hard to stay one step ahead of corporate defences.
- Ransomware is increasingly human-operated: It is estimated that one-third of ransomware attacks are now successful because of the presence of a human being behind the keyboard.
- We will see more double and even triple extortion: More and more ransomware attacks not only demand a ransom for a decryption key; they also threaten data leakage for double extortion. Anecdotal evidence also indicates that triple extortion is on the rise: if there is sensitive information about a business partner of the original victim, attackers target this third-party organisation to extort ransom.
2. Rapid cloud adoption will increase data security challenges
The COVID-19 pandemic has accelerated cloud adoption. More than half (54%) of workloads are expected to be in the cloud by the end of 2023, and 97% of mid-size organisations and enterprises will manage a hybrid environment by the end of 2025.
What’s more, there has been a 75% increase in multi-cloud customers since 2017. This shift is driven by many factors, from mergers and acquisitions to the desire to use best-of-breed products and avoid vendor lock-in. But the resulting increase in complexity presents significant business and data security challenges, with additional resources required to handle the more complicated compliance, data classification, auditing and reporting, and privacy concerns.
Ultimately, organisations must remember that responsibility for data security lies with them, not their cloud providers. To ensure that their cloud adoption is fit for the hybrid working era, they need a robust data classification process, a just-in-time approach to privileged access (in which access is granted only when it is needed and only for as long as it is needed), secure configurations, and active monitoring of changes and user activity to ensure that threats are identified and stopped in real-time
3. Data privacy laws will grow in number and reach
2023 will see a host of US-based data privacy laws coming into effect, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (CDPA). These regulations mandate increased visibility and control over data.
IT leaders will also need to pay attention to the EU Cyber Resilience Act. Although it is expected to come into full force in 2026 at the earliest, it will begin influencing tech investment decisions and product roadmaps much sooner. In particular, industries with a long production cycle, like manufacturing, need significant time to find, test and implement solutions that will meet the new requirements. For example, manufacturers are required to undertake a cybersecurity risk assessment for any product that has digital elements, which can be a time-consuming task. In addition, the Act gives companies only 24 hours to report an actively exploited vulnerability in one of their digitalised products — another good reason to start implementing appropriate security measures to ensure compliance with the Act now.
Organisations are facing these data security challenges amid a tough economic outlook in 2023. With the stakes higher than ever, it is highly advisable to prioritise data discovery and classification, just-in-time privileged access, and attack path analysis. These elements will help organisations mitigate the risks posed by rapidly evolving threats like ransomware, ensure data security across their hybrid workforce even in multi-cloud environments, and achieve and maintain compliance with strict data privacy legislation.
Senior Vice President of Products