Exploding Exposure: Why Securing Sensitive Content Communications Is Critical in 2024
Understanding Private Content Exposure Risk: Navigating the Challenges Ahead
As we stand on the cusp of 2024, IT, security, risk, and compliance leaders face a landscape that is both daunting and evolving. The task of managing data privacy and compliance risks is becoming increasingly complex, mirroring the sophistication of those who seek to exploit these very vulnerabilities. This blog post delves into the challenges and predictions laid out in Kiteworks’ Sensitive Content Communications Forecast for 2024, offering insights and strategies for those at the forefront of this critical battle.
Escalating the Threat Landscape
The digital age has brought with it an unprecedented level of connectivity and convenience, but this interconnectedness also opens doors for cybercriminals. These nefarious actors are constantly refining their methods, making it more challenging to detect and thwart their attacks. A worrying trend, highlighted in the Kiteworks report, is the shift towards targeting supply chains. This approach allows attackers to compromise a wide array of organizations through a single point of failure, magnifying the impact of their actions. Last year alone, third-party vendors, including technology providers, accounted for a significant 15% of successful data breaches.
The emergence of generative artificial intelligence and large language models (GenAI LLMs) has further complicated the cybersecurity landscape. These technologies, while groundbreaking, present new avenues for data exploitation and manipulation, making the task of safeguarding sensitive content increasingly arduous.
Regulatory Response and Organizational Challenges
In response to these growing threats, regulatory bodies worldwide are not just strengthening existing data privacy frameworks but also introducing new regulations. The increasing severity of fines and penalties for non-compliance underscores the seriousness with which these changes are being undertaken. For organizations, this translates into a greater need for vigilant tracking and control of content access, along with comprehensive audit logs to demonstrate adherence to these evolving compliance mandates.
Kiteworks’ Perspective for 2024
Kiteworks’ Sensitive Content Communications Forecast 2024 provides a thorough analysis of the past year’s trends and offers predictions for the coming year. A key challenge identified in the report is the management of privacy and compliance in sensitive content communications. This includes an array of communication tools such as email, file sharing, managed file transfer (MFT), SFTP, and web forms. Many of these tools, developed over a decade ago, are isolated in silos and lack the advanced security features necessary to combat modern cyber threats.
This gap in security capabilities has led to significant data breaches, prompting organizations to reassess their current data communication tools. The report anticipates a shift in strategy for 2024, with a growing number of organizations aiming to centralize their communication tools into a single platform. Such consolidation could offer numerous advantages, including simplified audit processes and unified policy management, providing a more robust defense against cyber threats.
12 Sensitive Content Communication Predictions for 2024
Below is a quick overview of the 12 predictions contained in the Kiteworks 2024 Forecast Report. From embracing technological advancements to fostering a culture of cybersecurity awareness, the path ahead requires a multifaceted approach.
1. Data Privacy and Compliance Risk of AI LLMs
The use of generative AI large language models (GenAI LLMs) by employees and third parties is expected to double despite bans, as the competitive edge they provide is too significant to ignore. About 15% of employees are already inputting company data into these models, and a quarter of this data is sensitive, escalating the risk of exposure for intellectual property, personal and health information, financial documents, and sensitive communications. This trend is likely to increase data breaches and attract regulatory attention in 2024, potentially resulting in brand damage, fines, legal costs, and a loss of customer trust.
Organizations are moving towards zero-trust models that limit access and collaboration based on the sensitivity of the data, ensuring least-privilege access and comprehensive monitoring and logging of content access and movement. There will be a notable increase in using digital rights management (DRM) for high-risk content to facilitate safe collaboration while preventing unauthorized data extraction. Additionally, investments in data security awareness training are ramping up to promote responsible use of GenAI LLMs among employees. By securing unstructured data and implementing stringent governance, organizations aim to reduce their security and compliance risks significantly.
2. Data Privacy and AI LLM Regulations and Standards
The emergence of GenAI LLMs has prompted regulatory bodies to act swiftly in establishing AI regulations and standards. A notable step is the White House Executive Order (EO) from October 30, which seeks to balance the risks and benefits of AI. This EO directs federal agencies to develop AI standards and encourages Congress to engage in regulation efforts. It establishes new safety and security standards, safeguards U.S. citizens’ data privacy, and fosters an equitable AI marketplace. The EO, with guidance from NIST, mandates the U.S. government to scrutinize AI use and procurement and requires AI developers to undergo federal safety evaluations.
In the U.S., legislative momentum is building, with states actively considering or passing AI-related laws. Internationally, the EU’s forthcoming AI Act by 2026 outlines clear requirements for AI usage, targeting risk mitigation while easing the administrative load on businesses, especially SMEs.
NIST’s AI RMF Playbook is shaping standards that address third-party risks, stress testing, data governance, and transparency. In 2024, organizations adhering to these standards must manage sensitive content risks with strong technical controls and responsible AI practices. As AI security requirements evolve, demonstrating compliance through governance tracking and detailed audit logs will become crucial. Experts predict that the latter half of 2024 will likely see the implementation of AI standards, with the necessary governance structures taking time to establish and operationalize.
3. Need for a Modern MFT Approach
Many Managed File Transfer (MFT) solutions are outdated and lack essential security measures, with on-premises deployments suffering from a lack of vendor hardening and a siloed approach that burdens customers with vulnerability management. This includes implementing strategies like firewalls, intrusion detection, and antivirus technologies. These legacy systems often miss crucial security features like Data Loss Prevention (DLP), Advanced Threat Prevention (ATP), and Content Disarm and Reconstruction (CDR).
In 2024, organizations will prefer modern virtual appliances for MFT that allow for one-click updates from providers and include integrated advanced security to combat increasing cyber-threats. MFT tools are vital for secure, automated data transfer and are essential for compliance in the software supply chain, which is increasingly targeted by cyberattacks. IBM’s report showed that 12% of breaches involve the software supply chain, with third parties accounting for 15% of data breaches.
Recent zero-day exploits in major MFT tools by cybercriminals indicate that such vulnerabilities will continue to be a focus for attacks in 2024, with significant implications for the supply chain, regulatory fines, legal costs, and brand reputation.
4. Need for a Modern Email Protection Gateway
Email continues to be the primary attack vector for cyber threats, with malware and phishing attacks increasing by 29% and business email compromise (BEC) by 66%. The median amount stolen per BEC attack has reached $50,000. Traditional email security struggles against these sophisticated social engineering attacks, which often target human error. Over 80% of data breaches exploit human vulnerabilities, bypassing outdated email security measures.
While email encryption has improved, with 90% of IT executives prioritizing it for external communication, internal practices lag, with 79% of businesses sharing unencrypted sensitive data via email. Additionally, only 35% of businesses have extensive encryption measures in place. Complexities and difficulties with encryption methods and public key exchanges contribute to these shortcomings.
Email security challenges persist, including the lack of DRM, DLP, advanced threat detection, secure cloud storage, and robust identity management. Until organizations adopt zero-trust policy management for sending, receiving, and storing emails, email security will remain a significant risk for data privacy and compliance in 2024.
5. Growth in Data Privacy Regulations and Standards
In 2023, data privacy regulations continued to proliferate, with Gartner forecasting that by the end of 2024, personal data for 75% of the global population will fall under such regulations, increasing the average company’s privacy budget to over $2.5 million. The U.S. saw five states enact privacy laws in 2023, with another 10 set to follow in the next two years.
Globally, the focus on data privacy is intensifying, with the EU pushing forward multiple legislations, including the GDPR, the Digital Markets Act, Digital Services Act, and AI Regulation. The EU’s new Data Privacy Framework, which facilitates transatlantic data transfers, requires U.S. companies to self-certify compliance with the Department of Commerce.
The NIST Privacy Framework, initially released in 2020, is expected to expand in 2024 to cover broader enterprise risk management aspects, aligning with emerging federal privacy laws. Anticipated updates to the NIST Cybersecurity Framework (CSF) will also emphasize continuous risk assessments and supply chain risk management. Organizations face challenges in demonstrating compliance due to siloed approaches to sensitive content communication but are expected to move towards centralized governance and audit logs for better tracking and reporting.
6. Rising Importance of Data Sovereignty
In 2024, data localization trends amplify the challenges of data sovereignty for organizations, as regulatory bodies globally, including 70% of countries, enforce stringent controls over data collection, storage, and usage. This regulatory environment mandates companies, especially multinationals, to manage the jurisdictions in which data resides, balancing it with the trend of data democratization—making data widely accessible within an organization. Data sovereignty, encompassing all data types like personally identifiable information, becomes critical to maintain compliance and minimize legal risks, which in turn fosters trust and protects reputations.
The deployment of applications is increasingly dictated by sovereignty laws, with countries like Germany and China enforcing strict controls, and the US CLOUD Act presenting further complications for international data handling. Companies often prefer vendors offering domestic hosting to comply with these laws. However, laws like the CLOUD Act may influence hosting decisions, leading to a preference for single-tenant hosting solutions that simplify compliance with data sovereignty, despite potential audit challenges. Companies are expected to adapt by adopting data sovereignty features within applications or choosing single-tenant hosting to manage multi-country deployments more effectively.
7. Increased Fines for Data Privacy Violations
Fines for data privacy violations have surged in the past two years, hitting record levels for GDPR breaches, with expectations for this trend to continue into 2024. Notable fines from 2023 include Meta’s $1.3 billion penalty by the Irish Data Protection Commission, Google’s $391.5 million settlement with 40 U.S. states, Amazon’s $61.7 million fine by the FTC, and Uber’s $2.1 million penalty, also by the FTC.
Regulatory bodies are intensifying the enforcement of privacy laws and imposing steep fines for non-compliance. These penalties often result from inadequate governance and data security, as seen in the substantial fines against Marriott and British Airways under GDPR. This trend suggests a strict regulatory stance against firms that negligently handle personal data. With the enactment of more data privacy laws in the U.S. and internationally, financial consequences for violations are expected to escalate.
As enforcement remains stringent in 2024, with most of the global population under data privacy regulations, organizations are likely to establish dedicated data privacy operations. For those operating internationally, this will require adapting cloud service designs and procurement to align with varying data localization requirements in 2024.
8. Adoption of FedRAMP Authorized Sensitive Content Communication Solutions
The James M. Inhofe National Defense Authorization Act for 2023, enacted by President Biden, formalizes the FedRAMP program within the General Services Administration and initiates improvements to streamline government adoption of cloud services. Concurrently, the OMB has proposed updates to modernize FedRAMP, aiming to expand the program, enhance security reviews, and expedite the federal government’s secure cloud adoption.
By 2024, FedRAMP Authorization, mandated via a strict annual audit, is expected to be a prerequisite for cloud service providers seeking to engage with the U.S. federal government. For defense contractors within the DIB, the CMMC 2.0 incorporates FedRAMP stipulations, and possessing FedRAMP Authorized file and email data communications will facilitate compliance for these contractors. With an increasing number of DIB contractors striving for CMMC Level 2 certification in 2024, there will be a heightened focus on employing compliant technology solutions for file and email data transfers.
9. Emergence of Digital Rights Management to Protect Sensitive Content
Digital rights management (DRM) is set to become more prevalent as organizations strive to secure sensitive content amidst increasing regulatory demands, with market projections suggesting a rise to over $5 billion by 2024. As per Gartner, integrating DRM with broader technology trends will be essential. Organizations will increasingly rely on standards like the NIST Cybersecurity Framework and NIST 800-53 for content-defined policy management.
The urgency for DRM is propelled by growing cyber threats, stringent data privacy regulations, and the need to manage content sharing both within and outside organizational boundaries. Next-generation DRM will offer essential protection for sensitive data beyond the organization’s perimeter, focusing on persistent security. Effective DRM implementation necessitates cohesive tracking, control, and visibility throughout digital environments, adhering to governance, workflow, and access control best practices.
In 2024, data classification and DRM policy management will be vital, with varying levels of protection aligned with data risk categories. Highly regulated sectors, especially healthcare with its vast quantities of personal data, alongside financial, manufacturing, legal, government, and educational institutions, are poised to lead the adoption of advanced DRM solutions to manage their data privacy and compliance risks.
10. Integration of Advanced Security Into Sensitive Content Communications
In 2024, organizations are poised to widely adopt advanced cybersecurity technologies such as cloud data loss prevention (DLP), advanced threat prevention (ATP), and content disarm and reconstruction (CDR) within their sensitive content management workflows. These tools will be integral for securing data both in transit and at rest. DLP will scan outgoing communications to prevent unintended disclosures, while CDR will actively remove potentially harmful elements from incoming documents. Managed File Transfer (MFT) platforms are expected to natively incorporate these features, enhancing security and preventing policy violations.
The focus will be on achieving comprehensive oversight over content movements, coupled with robust monitoring and detailed audit trails. Centralized platforms, especially MFT, will simplify the enforcement of security policies across various communication tools, including email, file sharing, and web forms. The integration of ATP will ensure that all transferred content is thoroughly scanned, and risks are mitigated. The DLP market itself is projected to expand significantly, driven by the growing need for data discovery, policy enforcement, classification, and incident response, with an expected compound annual growth rate of 22.3% leading up to 2030.
11. Centralizing Sensitive Content Communications and the PCN
The concept of Private Content Networks (PCNs) is set to redefine traditional zero-trust security models by focusing on content sensitivity instead of network perimeter defense. PCNs operate on content-defined trust principles, assigning sensitivity labels to data and applying security measures like encryption and access control tailored to the content’s classified sensitivity level. This approach ensures that security is aligned with the data’s importance, not just its network location.
In 2024, organizations will increasingly adopt PCNs, integrating dynamic policy management that resonates with the data’s sensitivity. This system enforces nuanced risk policies based on user roles, content classification, and actions intended for the data, including additional verification for highly sensitive information. Additionally, PCNs enhance visibility and compliance through detailed logging of content interactions, embodying the zero-trust maxim of “never trust, always verify,” and paving the way for unified management of sensitive content communications.
12. Growth in Communications of Very Large Files Containing Sensitive Content
As file sizes expand significantly, organizations face growing challenges in managing sensitive large-file content. Fields like biotech are generating massive DNA sequencing data files due to advances in genetic research and personalized medicine. In design and engineering, the complexity of CAD files is increasing. Law enforcement’s reliance on video evidence, marketing’s use of high-definition media, and the ballooning analytics files in economics and scientific research all demand robust secure storage and transfer solutions.
The burgeoning private large language models (LLMs) sector is another area of concern, with training datasets rapidly increasing in size and confidentiality. The management of these large, sensitive datasets is becoming a pivotal operational issue.
Customer service’s need to handle extensive log and HAR files, which contain sensitive data as demonstrated by the Okta breach, highlights security vulnerabilities. The trend of employees using unapproved transfer methods further exacerbates these risks. While cloud storage services like Microsoft 365 and Box have expanded their limits, they still fall short of the requirements of data-heavy industries, necessitating advances in secure, large-file transfer and storage capabilities.
Tackling 2024 Predictions With a PCN
Escalating cyber threats like supply chain attacks and risks from GenAI LLMs will increase cyber risk in 2024. Making this more difficult are expanding and evolving global data privacy regulations, which include substantial increases in fines and penalties. To address these, we will see a rise in DRM and PCNs on data-centric security. Organizations will shift towards centralized platforms to unify email, file transfer, and collaboration, MFT, and web forms under consistent policies that comply with zero-trust principles.
The upside is that Kiteworks offers a PCN address many predictions like advanced threat protection, robust access controls, detailed audit logs, and secure large file transfers to help manage sensitive content risks. To see the Kiteworks-enabled PCN in action, schedule a custom-tailored demo today.
Additional Resources