2020 showed all the ways that data security could go wrong. Ransomware took off, with one incident-response firm attributing more than half of all of its 2020 breach investigations to ransomware attacks. Data sprawl and cloud access to data have become significant threats, as many employees moved to remote work and expanded companies' potentially breachable attack surface area. And disinformation continued to spread with few barriers to the dissemination of inaccurate and incendiary content.
For data-security and privacy professionals, the lesson of 2020 is that data security is no longer just about the confidentiality of data—the 'C' in the CIA triad—integrity and availability are increasingly under attack as well. Because of that, customers and citizens are paying more attention to privacy and data security issues, said Heidi Shey, principal analyst of security and risk at Forrester Research, a business intelligence firm.
"Consumers are increasingly values-based in deciding who they buy from. Companies' commitment to data security and privacy increasingly matters, and [data security and privacy] will be the foundation for meeting compliance, enabling ethical standards, and supporting data monetization."
—Heidi Shey
Here are five trends that data-security experts see ahead—and what your company can do to prepare.
1. More privacy laws means more cost for data collection
In November, California voters approved updates to the California Consumer Privacy Act (CCPA). Those updates, called the California Privacy Rights and Enforcement Act (CPRA), clarify and strengthen the original law, which went into effect on January 1, 2020. The laws move California's privacy protections even closer to the European Union's General Data Protection Regulation (GDPR), according to an analysis by the International Association of Privacy Professionals (IAPP).
With more than two dozen states either passing legislation or considering bills to strengthen privacy, data-security and privacy professionals need to prepare their business for the efforts needed to satisfy these regulations, said Corey Nachreiner, chief technology officer at WatchGuard Technologies.
"Even if your company isn’t yet impacted by a strong consumer privacy law today, you should expect this type of legislation to start making its way across the country and throughout the world, and begin preparing for the steps you’d need to take to comply to a similar law."
—Corey Nachreiner
A key change will be a focus on the collection of information from smart devices and the Internet of Things—a recognition that the collection and integration of data from a variety of sources endangers privacy.
"We have more devices all over our homes and throughout the world that collect our voice, image, and personal information. As all this data is used against us, either by corporations that use it or sell it to others or by attackers that use it to fuel their attacks, consumers are getting fed up."
—Corey Nachreiner
2. Collecting less data makes more sense
Companies have historically defaulted to collecting and storing data as a way to future-proof the business. However, data breaches have shown that unprotected data can be a massive liability. With companies increasingly monitoring employees, especially with the increase in remote work following the pandemic, privacy is not just about consumers, but about employees.
In many cases, the best approach is to identify every process and application that collects customer and employee data, and question whether that information needs to be collected and retained, said Ali ElKortobi, structured data manager for software-security firm Micro Focus, which owns TechBeacon, an independent contributor network.
"From a cost perspective, it is a great exercise. You are going to reduce the amount of data you have, and when you reduce the amount of data that you have, you reduce the cost to manage, store, and secure that data."
—Ali ElKortobi
3. Privacy gets the CEO's ear
With a greater awareness of privacy issues, consumers are increasingly paying attention to the ethics of companies. The result is pressure on chief data officers (CDOs), data scientists, and marketing executives to pay more attention to how the company handles data. While privacy is the necessary for meeting compliance and supporting data monetization, creating standards for the ethical use of data is also important, said Forrester's Shey.
"Consumer demand, innovation, and the pandemic are changing the way we work and igniting employers’ desire to collect, analyze, and share employee personal data. It’s an opportunity, but without the right safeguards, it becomes a trap, and we predict in 2021 regulatory and legal activity regarding employee privacy will double."
—Heidi Shey
The focus on privacy will also shift the way data security is managed. By the end of 2020, 40% of privacy leaders will report to the CEO, up from less than a quarter in 2019, said Shey. Companies need to show that they are trying, in good faith, to protect their customers' information, she added.
"A lot of times it starts with the stick, but it grows from there and becomes a carrot. At first, you do the compliance bit because you have to—that is the floor; it is not the ceiling. As companies get more mature with what they are doing with their privacy programs, it gets to the point where they are starting to think of things like the ethical use of data."
—Heidi Shey
4. Ransomware's rise makes data availability increasingly important
While most data security strategy has focused on maintaining the confidentiality of data, increasingly integrity and availability—the two other points of the CIA triad—are at the heart of data security. Ransomware is a key reason for that focus, says Micro Focus's ElKortobi.
"In many cases, data security has not really been about the data—it was about intrusion. Yet intrusions are hard to prevent. The reality is that no matter what you do, you will have smarter people that get to the data."
—Ali ElKortobi
In its 2020 Cyber Front Lines report, cybersecurity services firm CrowdStrike found that 81 percent of the almost two-thirds of financially motivated breaches the company investigated either resulted in ransomware—or a precursor to ransomware—being deployed. While attacks on local government and school districts have garnered a great deal of media coverage, the media and entertainment industry appears to have been the top target, followed by the information-technology industry and the energy, gas, and utilities industry, according to Sophos's 2020 State of Ransomware report.
Companies need to better focus on detecting intrusions before they result in important data being destroyed or stolen, ElKortobi said.
5. Disinformation becomes a greater data threat
2020 may forever be known as the Year of Disinformation. With the coronavirus pandemic raging, false information spread not only through social network but from the highest levels of US government.
The success of these disinformation campaigns and the visible rise of disinformation means that companies must be aware. Attackers will increasingly include disinformation attacks into their tool sets and use them for specific functions, said Stephen Ritter, chief technology officer of identity technology firm Mitek.
"To counteract this misinformation and build trust with customers, businesses will need to develop clear communications guidelines when sharing or correcting information and provide more visibility into their practices."
—Stephen Ritter
Resilience is the way forward
In the past, data security has focused on keeping data confidential—protecting consumer information from leaking in data breaches and securing intellectual property from theft. However, 2020 has reinforced that data security needs to also focus on the integrity and availability of data, especially in the face of rising disinformation and frequency of ransomware attacks.
To combat those trends, data-security professionals must focus on all three legs of the traditional CIA triad. All three are key to increasing cyber resilience—the ability to adapt to increasingly damaging data breaches and increasingly global privacy regulations—an increasingly necessary attribute for companies develop as part of their digital transformation in 2021.
Keep learning
Get up to speed on unstructured data security with TechBeacon's Guide. Plus: Get the Forrester Wave for Unstructured Data Security Flatforms, Q2 2021.
Join this discussion about how to break the Ground Hog Day repetition with better data management capabilities.
Learn how to accelerate your analytics securely into the cloud in this Webinar.
Find out more about cloud security and privacy, and selecting the right encryption and key management in TechBeacon's Guide.
Learn to appreciate the art of data protection and go behind the privacy shield in this Webinar.
Dive into the new laws with TechBeacon's guide to GDPR and CCPA.