By Lucia Milică Stacy, Global Resident CISO at Proofpoint
In our digital-first economy, data is the new currency—and it is growing in value for organizations, their customers and threat actors. The ongoing processes of the digitization and the commercialization of data are also receiving increased attention from regulators, who are pushing for more privacy protections.
In addition, a decentralized workforce is accelerating people-centric risks in 2023, making data protection much more difficult. In 2022, the global average total cost of a data breach reached an all-time high of $4.35 million, according to IBM Security’s Cost of a Data Breach Report. According to the report, remote work is partly responsible for rising costs. The report found a “strong correlation” between remote work and the cost of data breaches. Breaches, where remote work was a factor, cost $1 million more on average.
When looking at this from a local lens, our research shows that long term hybrid work has intensified the data protection challenge for CISOs in the UAE. With employees now forming the defensive perimeter wherever they work, 32% of Emirati CISOs agree that they have seen an increase in targeted attacks in the last 12 months. And more than 1 in 3 (37%) say that increases in employee transitions means that protecting data has become a greater challenge, with investment in information protection topping the list of priorities for the next two years. When asked how employees were most likely to cause a data breach, UAE CISOs named malicious insider as the most likely vector, where employees intentionally steal company information.
This points to a growing need for better data governance. In the UAE, for example, the Data Protection Law ensures that personal data is being collected and processed in a lawful and fair manner, while maintaining the right of individuals to be informed about how their data will be used. A robust data governance program must acknowledge this changing environment and consider its implications while answering core questions, such as: Where is your data stored? Is your data protected or regulated? How is that data used (who has access to it)? How is that data protected?
The biggest challenge for many organizations is understanding where all their data resides and how to get visibility across their entire ecosystem. Data retention is another area of struggle and regulatory tension, especially since every regulation has different requirements. Taking a phased, layered control approach to data governance will help you address these challenges and answer the core questions we are considering.
A layered approach enables you to advance from developing and defining your data governance program to maintaining and optimizing it. Discovery, the first phase in this approach, involves establishing the initial control. This is where you go through steps such as qualifying the laws and regulations that apply to your organization, defining your data protection strategy based on data lifecycles, identifying the highest-risk users, discovering your digital footprint, setting up global inventory, and indexing the data.
In the second phase (detection), you’re developing control capabilities by gaining context for all your user activity, intent, and access; identifying compromised accounts and phished users; and classifying sensitive or regulated data. You’re also taking steps to track incidents and collect and capture data from all your sources.
And finally, the last phase (enforcement) is about growing full control capabilities, such as removing data from untrusted locations, providing a secure and compliant third-party exchange, enforcing data boundary protections, implementing full compliance supervision, and so forth.
By breaking down all the big questions into smaller, actionable steps, you’re creating a programmatic approach that helps you protect data based on your highest risks and gives you the best return on investment. It’s important to continuously assess the effectiveness of your program and optimize it. Your environment is dynamic and threat tactics change constantly.
Although the enterprise landscape changes rapidly, people stay at the core of data protection. Encouragingly, organizational cyber preparedness has greatly improved in the UAE. Increasing familiarity with the post-pandemic work environment has left CISOs feeling better equipped to deal with cyber threats. Proofpoint’s 2022 Voice of the CISO report showed that while 72% of Emirati CISOs believed they were unprepared for a targeted attack in 2021, this fell to 47% in 2022.
It’s important to not get complacent as threat actors will continue finding creative ways to steal and monetize your data. Protecting data in a people-centric threat environment requires people-centric data governance controls. Creating a strong people-centric framework for your data governance program will better prepare you for whatever challenges come next—and in a better position to protect your most valuable currency.
