Cybersecurity Awareness Month – You Had Me With Data

Euphoria of Data

The amount of data created and consumed on a daily basis is mind boggling. One report I read from Edge Delta, said “In 2020, users generated 64.2 ZB (zettabytes) of data, which exceeded the number of detectable stars in the cosmos.” Let that sink in for a moment! If you are curious the global volume of data created, captured, copied, and consumed in 2024, was 149 ZB. That’s exceeding the number of detectable stars in the cosmos two times over and then some, if you are comparing to the 2020 analogy. 

Clearly the euphoria of data generation is high, yet…

Thankfully, we are seeing year over year increases in adoption rates of data management strategies within organizations. A big contributor to this growth is the increase in laws and regulatory compliance in the US and worldwide. The US currently has sixteen states with laws in effect, three more going into effect next year, and another five in legislation. 

In addition to data protection laws, we are also seeing a surge in AI governance bills across 40+ countries. In the US there are four states who have passed legislation with Colorado at the top having the most comprehensive law followed by California, Utah, and Texas. There are currently nine more states in active legislation. 

These state-by-state laws add complexity to data management and only escalate more for global organizations. Further compounding issues are the disperse areas in which data is stored: on-prem, cloud, SasS, device-direct-saved, etc. While this can be challenging, there is good news in that 85% of organizations with data classification policies report higher employee awareness of data security. This is a huge added benefit for organizations, as the key to risk management is everyone understanding their role of ownership. 

While there are many more features of data protection such as access control, encryption, retaining, sharing, etc. the fundamental piece is classifying your data. You must know the level of importance and location of all your sensitive and confidential data. 

New Impacts

AI not only has its expanding laws and regulations but also brings a tremendous amount of concern around the use, security of the data that it consumes or doesn’t consume and ensuring model integrity. Data security is a vital component to any organization’s expansion and development of AI. We highly encourage leveraging AI Frameworks such as NIST AI RMF or ISO 42001 to form governance controls with data security in practice. 

52% Of organizations believe data classification is essential for building effective data lakes and warehouses

90% Of data officers believe that data classification will be critical for future AI and machine learning initiatives

Could this all be for not? Gartner is predicting by 2029, “advances in quantum computing will make conventional asymmetric cryptography unsafe to use.” There by increasing data protection costs and causing organizations to delete significant amounts of personal data, rather than risk exposure. 

They highlight attackers will leverage “harvest now, decrypt later” way of thinking, expecting future decryption opportunities. Additionally, the prohibitive cost of postquantum cryptography could drive this alternative. There are still many years between now and 2029, so I wouldn’t quite take this as gospel, but certainly put in your back pocket as you start your quantum computing journey. 

Violation of Data 

Whether experiencing a breach, internal risk, or ransomware event they all can give the sentiment of violation. Organizations that have their data classified by sensitivity and value can significantly improve incident response to data breach incidents. 

Reducing Impact:

Data Protection

• Classify all data to ensure proper tag is applied for tracking and controlling all sensitive, confidential, and intellectual property.
• Know where any, and all protected data resides. 
• Group protected data as much as possible, with layering protections in place, i.e. segmented network, encryption, data sharing policies, limiting access with identity controls, and monitor/auditing of access, changes, sharing. 
• User education – ensure everyone knows their role in data protection.

GRC

Streamline audit and compliance with a GRC solution.

• Unified compliance view across various regulations.
• Align regulatory requirements with specific controls to identify gaps. 
• Define data protection polices to align with business objectives and legal requirements.
• Assign roles and responsibilities for data ownership, access control, and incident response. 

AI Protection

This table is an excellent reference created by, the National Cyber Security Centre. The AI System Lifecycle with key dimensions, necessary ongoing assessments, focus areas for data security, and particular data security risks are fully covered in the CSI publication. 

If you are interested in further information on any of these topics, please reach out to hello@sayers.com.