What needs to change to overcome nonchalant security approaches

There are some 5.35 billion internet users worldwide. Every move made online results in data creation, whether that’s replying to an email, clicking through links, or sharing a post on LinkedIn. Every digital step you take leaves a trail of data to follow.

For businesses, data is the currency of the digital world. It helps to drives insights, make decisions and is one of the most valuable organizational assets. However, as more data is created and stored, the potential attack surface grows.

In today’s threat landscape, cybercriminals are using every tool in their arsenal to gain access to unstructured business data. And as technology like GenAI bleeds into the mainstream, cyber-attacks are growing in sophistication as criminals look to leverage this technology for their own malicious intent – meaning the business risk increases.

Attacks like we saw on Capita last year highlight that data access governance is proving difficult for organizations across various industries. With organizations struggling to keep pace in today’s growing threat landscape, let’s explore how businesses can better safeguard, manage and secure their data.

Unwinding the web of access management

Nearly half of enterprise workforces today comprise a variety of non-employee identities. That means in addition to full-time and part-time employees, there are many individuals external to an organization that are operating within it - for example third-party contractors, freelancers or temporary workers, who are all frequently tapping in and out of organizational networks. All of these identities will have different access requirements, which is challenging to keep track of - particularly if organizations lack oversight on who can access what data, when and why.

This is made more complicated by the rapid growth of unstructured data. Information contained within spreadsheets, email files, video and audio formats means organizations can lack visibility into where the data lives, not to mention who owns it.

This is leading organizations to over-provision access – granting too much access beyond what roles and responsibilities should allow. In fact, our research found 72% of businesses have inappropriately granted access to sensitive data, citing challenges including unprecedented growth in the amount of unstructured data, difficulty knowing where unstructured data resides, challenges with appropriate governance, and lack of automation.

With more user access points, this creates a bigger attack vector for cyber criminals, increasing the possibility of being breached. In fact, 78% of the businesses surveyed reported that a security issue has resulted from improper access.

Without visibility over who has access to what, and when, hackers could be operating unnoticed. This underpins a clear disconnect between most organization's security goals and the reality of securing critical data and information. When you consider that the average breach in 2023 was only identified after 204 days, the potential for hackers to infiltrate and steal critical data and information on an ongoing basis is huge.

The cost of a breach

The average cost of a data breach globally reached an all-time high last year, skyrocketing to $4.45 million. Yet the implications go beyond financial loss. Our research found one-third of respondents cited reputational damage occurring as a result of providing inappropriate access to critical data. Not to mention the operational downtime, customer loss, and system restoration that can also follow on from a data breach.

To help prevent attacks, organizations need to get on the front foot with protecting their data - not wait to be led by government regulation or red tape. Ahead of regulation like NIS2 later this year, UK companies are making headway, putting the correct processes in place to secure their data. However, three-quarters still need to complete preparations to better protect themselves and their customers.

Preparation is key

To prepare for potential attacks, organizations need to put policies and procedures in place for risk analysis to assess the effectiveness of cybersecurity risk management measures. Some examples of this include ensuring access is disabled when employees or contractors stops working for you, and avoiding using ‘generic’ accounts (accounts that are not tied to a named individual). Organizations should also put approval and risk analysis processes in place when granting access to critical applications, to prevent situations that could lead to fraud or data leakage.

Through a unified, AI-enabled approach to identity security, organizations can ensure that staff have only as much access as is required to perform their assigned roles and responsibilities – no more, no less. Using AI also speeds and streamlines identity decisions, something crucial given the pace at which businesses - and cyber threats - are evolving. This enables identity teams to move faster and more effectively to spot and stop unnecessary, inappropriate, or potentially compromised access.

Safeguarding data is business critical. With the threat landscape growing by the day, and the UK’s National Cyber Security Centre warning that malicious AI use will drive the threat landscape in 2024, businesses must take action to protect their data – and they must do it fast.

The stakes have never been higher, but with AI-driven tools and technology, organizations can gain better visibility and insight into the specific risks associated with user access. This can have a significant impact on how organizations manage, control, and secure all types of identity – helping to safeguard data in the face of attack.

We've featured the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro