A Year in Data Security: Five Things We’ve Learned From 2024

As the dust settles on another hectic 12 months, business and IT leaders should enjoy a well-earned break. But not for long. The end of one year offers a fantastic vantage point from which to view the macro trends that may go on to shape the next. With this in mind, these are the five things we’ve learned about cybersecurity in 2024.

AI is transforming the fortunes of companies across the globe, from retailers to financial services firms, helping them make better-informed business decisions and work more productively. But it’s also a boon for threat actors, supercharging efforts to steal data by improving and scaling phishing emails, enhancing the selection of targets and much more. AI and analytics tools are also an increasingly popular target for cybercriminals. The data on which they’re trained could be stolen, or poisoned to sabotage business processes. Organizations must ensure any AI projects are built on solid foundations, by securing this data as a starting point.

Unfortunately, thanks in part to the cybercrime uplift provided by AI and automation, data breaches are having a more deleterious impact on organizations than ever. The latest estimates claim that over a billion individuals were impacted by corporate data breaches in Q2 2024, a 1,170% annual increase. And average breach costs globally surged 10% year-on-year (YoY) to reach nearly $4.9m in 2024. It’s partly down to technology advances by the cybercrime community. But also the continued failure to follow best practices around password security, vulnerability patching, user awareness, multi-factor authentication, and other cyber-hygiene basics. Unless these are addressed, things will continue to get worse. Data-centric security can help, but organizations must also repair the foundations to minimize breach risks.

Another factor contributing to the seemingly inexorable surge in data breach costs is the explosion of shadow data in enterprises. IBM found that over a third (35%) of breaches over the past year involved data outside the control of the IT/security department. These incidents cost over 16% higher than the average, took 26% longer on average to identify and 20% longer to contain. Shadow data is everywhere, and thrives amid the complexity of modern IT environments. Organizations must find a better way to illuminate it, for example using AI-powered data discovery and classification tools which will automatically and continually locate enterprise data no matter where it resides—even in third-party data stores like cloud environments.

The past year saw the compliance burden pile up yet further for global organizations. From the EU AI Act and the Digital Operational Resilience Act (DORA), to PCI DSS 4.0 and new cybersecurity regulations for firms operating in New York State, stretched teams are at breaking point. Fortunately, these diverse regulations and standards aren’t as heterogeneous as they first appear. In fact, many contain the same kind of best-practice requirements for data protection. IT and compliance leaders facing another year of incoming rules and regulations would do well to remember this. And that data-centric security, including the application of format-preserving encryption or tokenization, can sometimes help to reduce the scope, cost and complexity of compliance. By automating continuous data discovery and classification, applying strong data protection, implementing robust access controls and monitoring, and wrapping it all in watertight data governance strategy, there is a way forward.

According to one study, half of global business decision makers still consider cybersecurity “a necessary cost but not a revenue contributor,” while 38% see it as a barrier rather than business enabler. Yet if 2024 has taught us anything, it should be that data security is about more than mitigating the risk of a serious breach. In fact, it can help preserve competitive advantage and bolster brand reputation, support important digital transformation initiatives and even open the door to new markets by ensuring enterprises comply with local privacy laws.

New rules introduced in 2024 like NIS 2 stress the importance of boardroom accountability and input when it comes to cyber strategy. This is absolutely correct. Cyber risk today is fundamentally also business risk, and cybersecurity can be a fantastic growth enabler. That’s why it must be managed with direction from the very top. If they’re not engaged yet, boards certainly will be as we move into 2025.