Top 15 Private Data Exposure Risks for 2023
Digital Transformation Exposes Private Data
The push to embrace digital transformation continues to expose organizations to significant security and compliance risks. To place guardrails around digital transformation initiatives, governments and international standards organizations have passed various regulations to protect data privacy. Businesses, in turn, are feeling the pressure to comply. A study conducted by PwC earlier this year found that data protection and privacy regulations weigh more heavily on executives’ minds than any other issue resulting from their adoption of digital transformation. Indeed, the same study pinpointed compliance and regulatory risk and cyber risk (tied at 35%) as their top risk concern over various other risk-related issues.
Data sprawl is a key driver behind executives’ concern about compliance and regulatory risk. The sheer volume of data continues to skyrocket and is connected to data-driven business models that are present across virtually every industry and every departmental function. Data, and more importantly private content data, was traditionally stored on-premises and shared through manual processes. Today, private content has migrated to the cloud, making it more accessible and easily shared from any device or location. As a result, private content is also unfortunately more susceptible to unauthorized access, malicious or accidental, than ever.
Data Privacy Security and Compliance Risks
Data privacy exposure risks are prompting an evolution in regulatory compliance and cybersecurity. Governments are responding to these risks by regulating how organizations send, share, receive, and store private data. Organizations, in response, are turning to technologies to streamline and automate governance of security and compliance.
As organizations reevaluate and evolve their cybersecurity risk management strategies and programs for this coming year, our team put together the 2023 Forecast on Managing Sensitive Content Exposure Risks Report. We speak to thousands of organizations each year, and we compiled from those discussions different prediction areas that IT, security, risk, and compliance leaders can leverage to identify gaps and priorities in their data privacy exposure risk. The following is a short overview of the risks and forecasts highlighted in the report.
Growth in Sensitive Content Communications
The amount of private data being sent and shared continues to grow exponentially. The file sharing market is expected to increase at a compound annual growth rate (CAGR) of 28.1% through 2027, while the managed file transfer (MFT) market is projected to expand even faster during the same time frame at a 28.3% CAGR. We will also continue to see more email volume—with a 12% anticipated expansion between 2020 and 2023, despite increased adoption in instant messaging and collaboration platforms.
As more private data is exchanged—both inside organizations and with third parties—more of that data will be intercepted and compromised. Interception is just one risk factor. How the private data is received and stored are other risk areas. As a result, organizations require a sensitive content communications platform that uses an in-depth security approach, employing layers of security to protect private information from malicious cybercriminals and rogue nation-states. This includes the ability to retract sent emails and shared content that is accidentally delivered to the wrong recipient.
These risk factors can be split into two forecast areas for 2023:
- Sensitive data-sharing, while risky, is a business requirement
- Insecure emailing of sensitive content remains a significant risk
Risk of Cyberattacks Ratchets Up
The objective of many cyberattacks is to acquire private content, sensitive information that includes personally identifiable information (PII) and protected health information (PHI), intellectual property (IP), financial documents, legal counsel, and manufacturing schedules. Cyberattackers who steal this private content can monetize it in several ways—hold it for ransom, use it for extortion, sell it on the dark web, or offer it to competitors. The businesses that suffer private data exposure face public humiliation and brand erosion.
Our Forecast Report identifies four different areas for 2023:
- Multitenant cloud hosting provides cyberattackers with fertile ground. For a few thousand dollars, bad actors can acquire a cloud instance for Microsoft and other software providers. Then, in a sandbox environment, they can pinpoint vulnerabilities and develop complex exploits used to intercept sensitive content as it moves across the software supply chain. In response, use of single-tenant hosting solutions, such as those with FedRAMP Authorization, with dedicated servers isolated from other tenants will be an increased focus in 2023.
- Third parties in the supply chain increase risk. According to our research, organizations have thousands of third-party suppliers, contractors, legal counsel, and other external entities accessing, sending, sharing, receiving, and storing private content. Most organizations have been slow to adopt risk management practices to protect private information that is sent and shared with third parties. Budget-sensitive organizations will increasingly look to supply chain partners in 2023, despite the inherent risk.
- Axis of rogue nation-states continues to expand. Due to the Russia-Ukraine war and other factors this past year, we’ve heard a lot about cyberattacks from rogue nation-states. Recent research from Mandiant predicts an upward trajectory of attacks on critical infrastructure will remain a problem in 2023, and the majority of attacks will come from an axis of rogue nation-states—North Korea, Russia, China, and Iran. Private content is a prime target for them, and organizations must remain diligent in protecting it.
- Cyberattackers get more sophisticated—and more dangerous. Cybercrime is now a multibillion-dollar industry. Well-funded criminal organizations and rogue nation-states employ advanced technologies like artificial intelligence (AI) and machine learning (ML) obfuscate their presence for months or even years and cover their tracks after stealing terabytes of sensitive content.
Cybersecurity Risk Management Evolves to Address Private Data Exposure Risks
Organizations are evolving their cybersecurity risk management strategies to meet technological, monetary, and process advances by cyberattackers. We’ve seen this with the U.S. federal government with new standards and mandates like the White House’s Executive Order 14028 and subsequent memorandums on zero trust and Cybersecurity Maturity Model Certification (CMMC) for Department of Defense (DoD) suppliers.
Our 2023 Forecast Report identifies six cybersecurity areas organizations will embrace to govern sensitive content in 2023:
- Content-defined zero trust and the private content network. Most organizations have adopted zero trust for their network perimeter and event identity and access management. As noted above, content is the target of many cyberattacks, and organizations are waking up to the fact that the same zero-trust principles must be applied to content. This gives rise to the private content network, a dedicated platform that secures digital communications of sensitive content using content-policy zero trust.
- Least-privilege access and authentication. 11% of initial infection vectors are the result of stolen credentials, according to the latest M-Trends Report from Mandiant. In response, many organizations employ multifactor authentication to counter credential theft for network and application access. This must be extended to content access as well.
- More businesses will choose sole ownership of their encryption keys. Many end-customers only co-manage their encryption keys, which allows law enforcement and security agencies, lawyers, and other entities to bypass the end-customer and subpoena cloud providers for their encryption keys. In response, organizations will seek vendors that offer sole ownership of encryption keys—ensuring that only the end-customer can access their data.
- Mitigating vulnerabilities in third-party libraries and software. The number of Common Vulnerabilities and Exposures (CVE) published in 2022 is already 35% higher than the number published in 2021. As a significant amount of software consists of open source, organizations must constantly assess their software supply chain. Organizations will therefore look for solution providers that use security hardening and multiple layers of security to reduce the CVSS severity levels of open-source vulnerabilities.
- AI becomes more widely adopted to detect anomalies in data shares and transfers. AI holds almost endless potential across the cybersecurity landscape, including advanced detection and protection of sensitive content. Organizations can use AI capabilities within sensitive content communications and security operations center (SOC) tools to detect anomalous behavior related to private content (e.g., spikes in access, sends, shares, etc.) and send real-time alerts to security teams.
- Organizations will focus more resources on security hardening and integrating security investments. IT, security, risk, and compliance teams operate more effectively and efficiently when they can consolidate threat intelligence and compliance data into a single view. Organizations dramatically diminish cyber risk when they can embed antivirus capabilities, content disarm and reconstruction (CDR), data loss prevention (DLP), and advanced threat protection (ATP) into the platform or tools used to manage sensitive content communications.
Regulating the Digital Exchange of Private Data
Governance is now seen as a fundamental underpinning of risk management. Organizations must have the right tracking and controls in place to protect private content from cyber threats and to demonstrate compliance with a growing list of regulations and standards. The following three forecast areas close out our list for 2023:
- Keeping pace with new and expanded data privacy regulations. At last count, more than 80 countries around the world have some form of a data privacy law in place. The Health Insurance Portability and Accountability Act (HIPAA) regulates data privacy as it relates to PHI. FISMA, GLBA, PCI DSS (Payment Card Industry Data Security Standard), among others, stipulate the protection of financial information and PII. The EU’s GDPR was one of the first to regulate data privacy at a regional level. In the U.S., the CCPA (California Consumer Privacy Act) was the first legislation to do so. Four additional states have passed similar legislation that will go into effect in 2023. As a result of these and other data privacy laws, organizations must seek out solutions that have comprehensive security controls as well as compliance tracking and reporting capabilities.
- Geofencing of private data exchange will increase. Private data shared within specific jurisdictions and between jurisdictions must be protected and governed. Geofencing must be employed to prevent unauthorized sending and sharing of private content such as PII and PHI between jurisdictions. This includes blocking sends, shares, and receives and the use of data sovereignty controls that constrain individual files and folders to storage in the data owner’s home country.
- Adoption of best practice cybersecurity controls and frameworks. The influence of cybersecurity frameworks like ISO 27001, NIST CSF, and SOC 2 will continue to expand in scope, and their adoption will follow commensurately. As organizations assess the risk of sensitive content exposure, they will increasingly turn to cybersecurity frameworks to do so.
Mitigating the Risks of Sensitive Content Exposure With Kiteworks
The risk posted by cybercrime and compliance regulations has never been greater. Rapid maturation of data analytics and science and proliferation of supply chains are pushing the sharing and transfer of data to the forefront of many digital transformation initiatives. These are business-critical undertakings that provide competitive advantages—from gains in operational efficiency to revenue-growth opportunities.
But with most cyberattacks focused on intercepting private data, followed in turn by governmental and industry entities regulating how organizations protect that private data, the risk will continue to grow. We believe that a content-defined zero trust approach that employs content policies across sensitive content communications in the form of a private content network (PCN) is the answer to these challenges. Kiteworks PCN unifies your sensitive content communications into one platform to keep that content private while enabling you to demonstrate compliance through robust tracking and controls.
Check out our full 2023 Forecast Report, attend our webinar panel discussion featuring three superstar guests, and more by checking out our 2023 Forecast Report webpage.