Data protection requires administrative and operational controls; technical controls, such as access management, authorization and encryption; and physical controls that protect the computing hardware and work environments.
Many organizations focus on technical controls and protections, said Rebecca Herold, founder and CEO of consultancy Rebecca Herold & Associates, but they’re not addressing the administration protections, such as documented policies and procedures to make employees aware, or sufficiently monitoring the physical aspects. “So, it is just piling into the ongoing breaches that you read about every day in many industries around the world,” she added.
Everyone rightly focuses on the regulated data, including personal, card holder and healthcare information. But there’s a lot more that needs attention. “It’s expanded,” said Heidi Shey, analyst at Forrester Research. “It’s not just the source code that people have historically been worried about or secret formulas.”
Data protection challenges mount
New data protection challenges can involve IoT sensor data collection, algorithms, APIs, and machine learning and AI models that companies have developed. “Many times, consumer IoT devices such as smart cameras and smart vehicles are being used to support the business,” Herold explained. “And there is data that is shared that is collected by those products that usually the business isn’t even aware of.”
With the potential for financial loss, reputational harm and penalties for noncompliance with data privacy protection regulations, security leaders need to track the location and ownership of the company’s data at rest, in transit and in use and understand the security risks. That includes the data encryption and sensitivity level, potential impact on the business if the data is compromised and the dependencies between the data and other applications.
Globally, the 35 highest data privacy violation fines in 2023 totaled $2.6 billion, according to Forrester. The EU issued 19 of those fines