Mandula Moments: Risks and opportunities in an AI-driven world (Part 5)

Continuation from Part 4

Data Security: Safeguarding Data from Theft and Abuse

With valuable data everywhere, security is a paramount concern. The question “who will steal it?” reflects the unfortunate reality that any enormous collection of data is a tempting prize for attackers. Ensuring that data is not stolen, tampered with, or misused is an ongoing battle in the data era. Key facets of this challenge include:

• Cyber Attacks and Breaches: As discussed under risks, cybercriminals are constantly developing new methods to breach defenses. They exploit software vulnerabilities, use social engineering (phishing) to trick employees, deploy malware and ransomware – all with the goal of gaining unauthorised access to data. High-profile breaches in recent years have exposed personal records in the hundreds of millions (for example, breaches of credit bureaus, retail giants, and tech companies). Ransomware attacks have also grown, where attackers encrypt an organisation’s data and demand payment to unlock it – sometimes also threatening to leak the data. Businesses not only face direct losses (ransom payments, recovery costs) but also legal liabilities and loss of customer trust when breaches occur.

• The trend is alarming: the Identity Theft Resource Center noted a 72 per cent increase in data compromises in 2023 compared to the previous high, indicating that breaches are becoming both more frequent and larger in scope. To combat this, organisations must invest heavily in cybersecurity measures: firewalls, intrusion detection systems, regular security audits, and employee training (human error is a leading cause of breaches). Many are also turning to AI-driven security tools that can analyse network data to detect anomalies or predict attacks. However, attackers too can use AI to find weaknesses, creating an arms race. A strong security posture is not just a technical necessity but a governance imperative – boards and executives are increasingly expected to treat cybersecurity as a core component of business risk management.

• Insider Threats and Data Misuse: Not all data theft happens from external hackers; sometimes insiders with legitimate access abuse their privileges. This could be an employee or contractor who steals data for personal gain or out of malice, or who accidentally exposes data through negligence. Monitoring and controlling internal access to data is crucial – following the principle of least privilege (only give employees access to the data they truly need) and implementing logs and alerts for unusual data access patterns. Data governance policies often include strict protocols for who can copy or transfer sensitive data. Yet, we have seen cases of insiders selling customer data (for example, a bank employee selling account info) or taking intellectual property to competitors. Prevention measures include rigorous background checks, clear penalties, and fostering a culture of ethics where employees understand the importance of protecting data.

• Data Encryption and Protection: One of the fundamental defenses for data is encryption – both in transit and at rest. By encrypting sensitive data, even if attackers intercept or exfiltrate it, they cannot easily use it without the encryption keys. Many organizations are moving to encrypt databases, hard drives, and cloud storage by default. There’s also a push for end-to-end encryption in consumer services (like messaging apps) to protect user communications from any eavesdropping. However, encryption can complicate law enforcement access, which is why some governments seek backdoors – a contentious issue in the debate between privacy and security. Additionally, techniques like data masking and tokenization can protect data in development or testing environments so that real personal details are not unnecessarily exposed.

• Regulatory Compliance (Security Aspect): Laws like GDPR, HIPAA (health data), and others mandate strict data protection measures. Companies can face heavy fines if they fail to secure data properly. For example, GDPR can levy fines up to 4 per cent of global turnover for serious violations (including data breaches resulting from negligence). These regulations effectively police data security by creating financial and legal incentives for organisations to follow best practices. We also see emerging regulations focused on critical infrastructure cybersecurity and supply chain security, recognising that data breaches can have cascading effects. Continuous monitoring is often required – meaning companies must regularly assess their systems for vulnerabilities and report breaches promptly when they occur.

• International and Law Enforcement Efforts: On a broader scale, tackling cybercrime requires international cooperation. Cybercriminals often operate across borders, exploiting jurisdictions with weak laws. Efforts like the Budapest Convention on Cybercrime aim to facilitate cross-border investigation and prosecution of hackers. Law enforcement agencies are also getting more sophisticated in tracking cyber gangs (for instance, some ransomware group members have been arrested). However, the sheer volume of attacks means we cannot rely on law enforcement alone. Every organisation and individual are effectively on the front line of data security. Business leaders must treat data protection as seriously as physical security or financial control. This includes planning for the worst (incident response plans, backups to recover from ransomware without paying, cyber insurance, etc.).

In essence, “who will steal it?” – many will try, but through strong security practices we aim to ensure no one succeeds. Achieving perfect security is impossible, but the goal is to make attacks as difficult and costly as possible, and to limit damage if a breach occurs. Organisations that succeed in protecting data will maintain trust and be better positioned to leverage data’s value, whereas those that suffer high-profile breaches will face costly setbacks. Security is thus a cornerstone of unlocking data’s opportunities without falling prey to its dangers.

to be continued in Part 6.