When it comes to cybersecurity, bad actors never stand still. As a result, neither can today’s security professionals, technology providers and data privacy legislators. Indeed, an attacker now needs just 102 minutes to begin to move laterally once they have compromised a single device. This puts organizations under the gun to not only identify threats but respond at record speeds to avoid security incidents and ensure compliance with stringent regulations.
This article explores three of the top data security challenges that organizations face today and offers advice for mitigating security and compliance risks.
Ransomware
Ransomware continues to be a pressing threat to data security and data privacy for public and private organizations alike. Ransomware threat actors look to gain an initial foothold in a network, commonly via a vulnerable internet-facing system or weak application settings. Then they set out to hijack legitimate user credentials and move laterally across the network. Their goal is to compromise additional accounts and tools in order to encrypt as much sensitive data as possible to use as leverage in their ransom demands.
The following ransomware trends present a high risk today:
· Ransomware is evolving fast — Lockbit 2.0 emerged in 2022, but soon after patches to defend against it were released, Lockbit 3.0 appeared. Other ransomware groups are quickly developing new strains that share commonalities with previously identified ransomware; examples include Black Basta and BlackCat. Ransomware actors are likely to continue working hard to stay one step ahead of corporate defenses.
· Ransomware is increasingly human-operated — It’s estimated that one third of ransomware attacks are now successful because of the presence of a human being behind the keyboard.
· Ransomware risk is compounding with double and even triple extortion — More and more ransomware attacks not only demand a ransom for a decryption key; they also threaten data leakage for double extortion. And anecdotal evidence indicates that triple extortion is on the rise: If an attacker obtains sensitive information of a victim’s business partner, they attempt to extort ransom from that company as well.
The best way to address the threat of ransomware is to reduce the risk of an infection and ensure that you can respond to an attack before it kidnaps your data. Consider implementing a zero standing privilege approach to reduce the risk of privilege escalation, improve your ability to spot suspicious activity, and ensure you can promptly take action to shut down threats, for example, by deactivating the compromised account or ending the RDP session.
Cloud data security
The COVID-19 pandemic accelerated cloud adoption. More than half (55%) of workloads are expected to be in the cloud by the beginning of 2024, and 97% of mid-size organizations and enterprises will manage a hybrid environment by the end of 2025. What’s more, there has been a 75% increase in multi-cloud customers since 2017. This shift is driven by many factors, from mergers and acquisitions to the desire to use best-of-breed products and avoid vendor lock-in. But the resulting increase in complexity presents significant business and data security challenges, with additional resources required to handle the more complicated compliance, data classification, auditing and reporting, and privacy concerns.
Ultimately, organizations must remember that responsibility for data security lies with them, not their cloud providers. To ensure that their cloud adoption is fit for the hybrid working era, they need a robust data classification process, a just-in-time approach to privileged access (in which access is granted only when it is needed and only for as long as it is needed), secure configurations, and active monitoring of changes and user activity to ensure that threats are identified and stopped in real time.
More data privacy laws
At least 35 states and the District of Columbia in 2022 introduced or considered almost 200 consumer privacy bills in the US alone. This year we are seeing a host of U.S.-based data privacy laws coming into effect, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (CDPA). These regulations all mandate increased visibility and control over data.
Organizations operating in Europe will also need to pay attention to the EU Cyber Resilience Act. Although it is expected to come into full force in 2026 at the earliest, it will begin influencing tech investment decisions and product roadmaps much sooner. In particular, industries with a long production cycle, like manufacturing, need significant time to find, test and implement solutions that will meet the new requirements. For example, manufacturers are required to undertake a cybersecurity risk assessment for any product that has digital elements, which can be a time-consuming task. In addition, the act gives companies only 24 hours to report an actively exploited vulnerability in one of their digitalized products — another good reason to start implementing appropriate security measures to ensure compliance with the act now.
Conclusion
Organizations are facing these data security challenges amid a current tough economic outlook, but the stakes are higher than ever. It’s highly advisable to prioritize data discovery and classification, just-in-time privileged access along with zero standing privilege approach. These elements will help organizations mitigate the risks posed by rapidly evolving threats like ransomware, ensure data security across their hybrid workforce even in multi-cloud environments, and achieve and maintain compliance with strict data privacy legislation.
Dilki Rathnayake is a cybersecurity content writer and the Managing Editor at Information Security Buzz, with a BSc in Cybersecurity and Digital Forensics. She is skilled in computer network security and Linux system administration. Dilki has also led awareness programs and volunteered for communities promoting best practices for online safety.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.