In the age of AI, data security does more than protect your information. It can determine how you run your business.
Now, more than ever, organizations rely on their data to make choices about product placement, new markets, consumer trends, investments, and more. Nowhere does the adage “put good in, get good out” apply more.
Yet we still see organizations that undervalue data security as the fundamental underpinning of all their AI models.
For the past decade, data security has increased in importance in both business and security conversations. In considering how we got here, we can understand why the industry is now rethinking data security, and what that looks like from a vendor perspective.
Where Businesses Place Their Value Has Changed – and So Has Cyber Extortion
Ransomware is the perfect example, traditionally focusing on encrypting systems and impacting the availability of systems. The premise is that for every hour you are locked out of your systems you are unable to operate, thus missing out on sales or other revenue. The ransom note would demand payment in return for the decryption keys, which would then allow the business to get back to work (and get back to making money).
As businesses adopted cyber resilience strategies to rapidly recover from attacks, and limited blast radiuses with Zero Trust approaches like network segmentation – the cost of not paying the ransom decreased – as did the incentive to pay up.
So, ransomware actors evolved, using their unauthorized access to find sensitive data and exfiltrate it. The contrast here is once data is exfiltrated, you can’t get it back. Running a disaster recovery process and restoring the data does not remove it from the attackers’ control and therefore the threat to your business, customers and partners is still present.
Today, it’s very rare to see an encryption payload in a ransomware attack, although the method has changed, the goal remains the same, extort the highest possible ransom for your troubles and move onto the next target.
The bottom line is losing data costs organizations money. Criminals are extorting business through their data, not through the availability of their systems. Now criminals threaten to sell sensitive data on the dark web and/or report the breaches to regulatory bodies, who tack their own hefty fines onto already steep ransomware payments and recovery costs.
The threat of failing an audit or not complying with emerging data security standards adds external pressure to businesses to secure sensitive data. Running afoul of these could mean losing licenses, consumer trust, and future contracts. In other words, more money.
The lever to pull for extortion used to be system availability, it has now shifted to data confidentiality. Instead of the systems themselves housing company value, it is what’s inside. Unfortunately, “inside” increasingly means “everywhere” when it comes to sensitive data.
The Data Everywhere Dilemma: Hybrid and Remote Environments
Data security runs up against a key challenge in today’s distributed workplace in the form of remote and hybrid environments.
An employee working from home can easily be targeted by an “IT administrator” looking to install necessary updates by requesting remote access to their machine. Nation-state threat actors pose as job candidates and even land real remote positions in the US (and elsewhere). Often, companies don’t discover that those employees were secretly siphoning data until it’s too late.
To accommodate these relatively new working conditions, businesses rely increasingly on tools like Office 365 and Google Suite, public and private clouds, and countless workplace management platforms, SaaS environments, and third-party apps. This makes it difficult for companies to get a handle on what data they have, where it is, and where it’s critical.
Add AI models to the mix, and the problem becomes exponentially more complex. It also raises the stakes, as the data ingested into those models directly drives decisions.
The AI Impact of Data Security and Data Quality
There is no data integrity or confidentiality without data security, and the quality of your AI conclusions depends entirely on the quality of the information you put in. This is why data security is at the core of future success for today’s organizations.
AI runs purely on the quality of data it has. If you throw all your data into a data lake and tell your AI models, “Go train on that,” you get a certain result, but not likely the one you want. What if that data unknowingly included sensitive information? Or spoofed webpages or code repos that held backdoors masquerading as legitimate code? Much of the risk within generative AI is within the data.
Using the two examples, unknown sensitive information in the data sets could be leaked in response to a prompt, or the suggested code makes it into production where an attacker will walk through the open door they included for themselves. That is why figuring out how to secure data in complex, distributed environments is as much a business imperative as a security one.
Simplifying Security in Response to Complex AI Challenges
Though AI is still very new, securing it still comes down to what we might see as common data protection solutions.
Data Security Posture Management (DSPM), for example, understands and evaluates risk within so you can match the risk to your risk appetite with mitigating controls, whether the data is used to train AI or for another use case. Meanwhile, access and policy controls like Identity and Access Management (IAM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB), and Digital Rights Management (DRM) are all examples of mitigations or policies you can put in place to control the risk within your data as part of an effective data protection platform.
While the solutions are straightforward, businesses are struggling to get the most out of them and realize their collective potential.
Fortra brings these powerful tools together so that customers can gain control over their data without having to learn ten different consoles in the process. As effective as they are individually, a comprehensive data protection strategy that spans the cloud, on-premises, AI, and any hybrid and remote environments requires more than one good solution.
Our objective as a vendor is to get these solutions to work synergistically, playing to their strengths and ultimately working as one, because that’s where we ultimately see the most success. As far as AI is concerned, insofar as it supports today’s businesses, a business is only as good as its data is safe. And that safety is only as good as its data security approach.
