Data security today: key trends and enterprise challenges

Data is everywhere, complex and growing, leading to increased security risks. The number of data breaches in the U.S. tripled in 2023 from the previous year to 96.7 million breached accounts.Securing information, especially sensitive data, is paramount for businesses in today’s quickly evolving data environment. At the same time, as organizations work to get their data practices in order, to feed AI models for example, they are finding data security to be a hindrance. IT professionals say ensuring data security is the most difficult part of their data management strategy, according to an IBM study.

A strategic focus on securing data and identifying its risks and challenges in today’s complex data environment can help enterprises safeguard their data and move forward in implementing innovations such as AI. When done right, data security isn’t a tax on innovation, it’s a catalyst that can make data even more valuable when there’s trust that strong safeguards are in place.

Data today originates from many sources and accumulates at unprecedented speeds and volumes, increasing the potential for data security threats as there is more data to manage and protect. Data also resides in multiple environments, making it increasingly difficult to monitor and track. And with AI models requiring large datasets to train and analyze, organizations must increasingly navigate a complex threat environment. Next, we explore the key trends and challenges in data security impacting enterprises today.

The sheer volume of data that is generated, stored and processed in today’s business environment makes tracking and securing data a major challenge for enterprises. The amount of data created has grown every year since 2010 and last year reached 149 zettabytes. A 300% increase is expected in 2025 compared to 2019. One estimate says 90% of the world’s data have been created in the last two years alone. Driving the boom in data generation are factors like greater computing power, cloud computing and scalable storage, connected devices (Internet of Things) and generative AI. 

Large amounts of data are more difficult to monitor and keep safe, especially when a company’s data resides in multiple places across on-premise, public cloud and private cloud environments. Due to the complexity of implementing security measures across large datasets, enterprises can find themselves vulnerable to data security threats related to failures in managing user access, lack of data visibility and larger potential attack surfaces. One in three data breaches involve shadow data, or data that exists outside the knowledge or control of the organization, according to a recent IBM study. The same research found that 40% of data breaches include data across multiple environments. Strong security in one environment may not translate to another.

As an organization grows and scales its data, the right tools and data management strategies need to be in place to protect and control access to data. As data volumes grow, organizations face challenges like: 

• Storing and managing data safely and effectively: Enterprises need to know where their data lives and store it safely, but the proliferation of data into environments like the public cloud obscures its location.

• Ensuring visibility and governance over all data:  Without a view into their data, businesses have a hard time knowing whether their data is sensitive, structured or unstructured. Furthermore, having the right controls in place is important to make sure only the right people get access to raw data. 

• Securing data without compromising business speed and performance: As data volumes grow, securing larger datasets becomes more complex with data stored in different places. Additionally, data protection measures may be computationally heavy and slow down performance.

With enthusiasm high around AI for business use cases, more than half (53%) of IT professionals have sped up their rollout of AI in the last two years, according to IBM. Companies are identifying areas of business gains from AI such as improving customer experiences and greater efficiency in operational processes. As organizations rapidly move to adopt AI into their practices, a lack of protection against data breaches can undermine efforts to move forward and benefit from AI. 

Massive datasets are necessary to train and improve the accuracy of the AI models behind generative AI like large language models. With AI relying on so much data, these large datasets can contain sensitive information such as personally identifiable information (PII) that can be accessed by hackers. When it comes to AI, security challenges for businesses include the unintentional entering of confidential information into prompts, lack of visibility into the sensitivity of data due the black-box nature of AI models, and the inability to enact privacy policies if using externally hosted AI. There are also the threats of model theft and data poisoning, in which biased or inaccurate information is entered into an AI’s training data for malicious purposes. This type of attack can be quite damaging since the success of generative AI initiatives hinges on trustworthy and reliable data. 

Enterprises can mitigate these risks through clearly defined policies around who is authorized to work with AI models and ensuring the validity and cleanliness of data before it is used for training purposes.

At the other end of the data security landscape, AI has also opened the door to new or more sophisticated attacks, becoming a powerful tool for cyber criminals. Attackers are increasingly using gen AI to carry out social engineering, such as phishing email attacks in which LLMs like ChatGPT are used to quickly generate well-written and convincing messages that otherwise may have contained telltale spelling or grammar mistakes. Using deep fakes, which are AI-manipulated images, videos or audio, cybercriminals can impersonate people in authority or someone trustworthy to get individuals to disclose sensitive information.

Businesses are more connected than ever before, relying on a diversity of software and vendor services. From cloud services to SaaS providers and contractors, third-party vendors and suppliers are crucial in today’s business environment to meet a large variety of enterprise needs and support companies in their business goals. Many also need to access a company’s sensitive and proprietary information as part of their services. These include customer data, financial records and intellectual property. As a result, these third-party relationships can become vulnerabilities to be exploited by bad actors looking to gain entrance to larger companies’ systems. 

While companies increase security to prevent unwanted entry into their own systems, criminals are gaining entrance through cracks in third-party partners’ systems or software. A 2022 study found that 98% of organizations have relationships with a third-party vendor that has experienced a breach in the last two to three years. Data breaches may occur if vendors are not properly securing their systems. Supply chain attacks, which target a supplier’s software, hardware or infrastructure, often claim multiple victims and make way for data breaches (e.g., the SolarWinds attack that began with malicious code in a routine software update).

Organizations need to manage data security risks across their supply chain, not only in their own systems. Companies should routinely evaluate third-party vendors for their security policies and compliance with data protection regulations. Additionally, tokenization can help with this problem by replacing sensitive data with tokens that have no value. In this way, tokenization devalues the data to a  bad actor, protecting sensitive data even if third-party systems are breached.

The increasing influx of data protection regulations are driving the need for companies to establish robust data security measures. These laws mandate strict rules on how organizations collect, store, process, analyze, and delete data. Businesses must implement effective security measures that protect personal information from unauthorized access or breaches.

Traditional strategies, such as encryption and access controls, while important, may not fully mitigate the risks associated with sensitive data. Implementing data protection measures like tokenization can significantly lower the costs associated with adhering to data protection regulations by minimizing the footprint of sensitive data.

As companies move forward with adopting important advances like AI in a quickly shifting security landscape, organizations can strengthen their data security with the right strategies. 

Detecting and monitoring security threats as they happen can help enterprises act before potential breaches cause major damage. Monitoring can include real-time threat detection using a Security Information and Event Management (SIEM) tool, which gathers data from multiple sources and uses AI to automate and address threat detection before the disruption of business. Proactive response strategies help businesses prevent security incidents before they occur, such as regularly updating software and systems with patches that address vulnerabilities before they are found. Training and educating employees on risks like email phishing and poor cybersecurity practices related to human errors are also examples of a proactive response strategy.

Security and risk leaders struggle to balance strong data security with business objectives. Only 14% of such leaders are successful in maintaining this balance to enable their organization effectively and securely. But to enable AI and other data-based objectives, security and risk professionals must work cross functionally across the business with shared accountability for success, such as working with the data and analytics team on data security initiatives. 

Enterprises should be employing a combination of data protection techniques available to them including masking, encryption and tokenization. Masking involves hiding parts of the data while maintaining usability, such as displaying only the last four digits of a phone number. Encryption converts data into an unreadable format using an algorithm with the ability to reverse the encryption using a key. Tokenization, on the other hand, replaces sensitive data with a randomly generated token with no exploitable value. Tokenization is a popular method of enterprise protection at the data level because it can significantly reduce the impact of a breach. Stolen tokens lack value and are not vulnerable to decryption since tokens have no inherent value. Tokenization preserves the usability of data since tokens can still be processed within a system and across applications. 

In today’s evolving data environment, data security is not an option but an imperative for businesses looking to grow and scale. By combining awareness of current security threats and challenges with a proactive strategy, businesses can protect their sensitive data, reduce risks and support business continuity and growth.