The amount of sensitive information that businesses are harbouring in non-production situations, like creation, testing, analysis, and AI/ML, is rising, according to a new record. Managers are also becoming more concerned with protecting it, and including it into fresh AI products is not helping.
The “Delphix 2024 State of Data Compliance and Security Report ” found that 74 % of organisations that handle sensitive data increased the volume kept in non-production, also known as lower, environments in the last year. What’s more, 91 % are worried about their expanded coverage footprint as a result, putting them at risk of vulnerabilities and non-compliance sanctions.
Due to the growth in online users and their ongoing efforts to transform the world, companies ‘ overall customer data is growing. The IDC forecasts that by 2025, the international datasphere will increase to 163 zettabytes, ten days the 16. 2016 generated 1 zettabyte of information
As a result, the amount of sensitive data, such as private identifiable information, protected health information, and financial information, being stored is also increasing.
Sensitive data is generally created and stored in creation, or lived, environments like the CRM or ERP, which have strong controls and restricted access. Nevertheless, typical IT procedures frequently lead to multiple copies of data into non-production situations, giving more staff access and increasing the risk of data breaches.
The results of a survey of 250 senior-level workers at businesses that handle delicate customer data were the subject of the report. Perforce, a technology company, conducted the event.
View: National Public Data Breach: 2. 7bn Records Leaked on the Dark Web
Over half of companies have already experienced a data violation.
More than half of respondents claimed to have already been hacked into sensitive information stored in off-line.
Another source of proof points to a worsening of the situation: a study by Apple found that data breaches increased by 20 % between 2022 and 2023. In fact, 61 % of Americans have discovered that their private information had been compromised or breached at some point.
According to the Perforce report, 42 % of the respondents ‘ businesses have experienced malware. This malware, especially, is a growing threat worldwide; Ransomware problems globally increased by 33 % in the last year, according to a review from Malwarebytes that was released this month.
The global supply chains are becoming longer and more difficult, which increases the number of potential access points for adversaries. Part of the problem is this. According to a statement from the Identity Theft Resource Center, supply chain attack-related organizations increased by more than 2,600 percentage factors between 2018 and 2023. Furthermore, payouts exceeded$ 1 billion ( £790 million ) for the first time in 2023, making it an increasingly lucrative exploit for attackers.
When it comes to anxious buyer data, AI is the main culprit.
It is becoming extremely challenging to manage what information goes where as businesses start incorporating AI into business operations.
The difficulty of the algorithms and possible integration with external systems can lead to new assault vectors that are difficult to manage, and AI systems frequently require the use of delicate consumer data for coaching and operation. In fact, the report found that AI and ML are the leading causes of sensitive data growth in non-production environments, as cited by 60 % of respondents.
“A I environments may be less governed and protected than production environments, ” the report’s authors wrote. “As a consequence, they can be easier to sacrifice. ”
Company decision-makers are aware of this threat: 85 % record concerns about regulation non-compliance in AI environments. Although there are still a lot of AI-specific regulations in development, GDPR requires that personal data be handled legally and openly in AI systems. Additionally, there are various applicable state-level laws in the United States. S. .
Notice: Artificial Executive Order: White House Releases 90-Day Progress Report
The E. U. The AI Act, which became effective in August, establishes strict guidelines for the use of AI for facial recognition and general-purpose AI methods. Companies that do n’t adhere to the rules may face fines of up to €35 million ($ 38 million USD ), or 7 % of their global turnover. 5 million ($ 8. 1 million USD ) or 1. 5 % of turnover, depending on the copyright and size of the company. In the near future, more related AI-specific restrictions are anticipated to be implemented in other areas.
Other concerns about sensitive data in AI environments, cited by over 80 % of the respondents to the Perforce study, include using lower quality data as input into their Artificial models, specific data re-identification, and theft of model training data, which may contain IP and trade secrets.
Businesses are concerned about the financial impact of unsecure data.
The prospect of a sizable non-compliance fine is another major reason why large corporations are so worried about insecure data. Consumer data is widely subject to expanding regulations, like GDPR and HIPAA, which can be confusing and change frequently.
Many regulations, like GDPR, apply penalties based on annual turnover, so bigger companies face bigger charges. According to the Perforce report, 43 % of respondents have already been forced to increase or change non-compliance, and 52 % have had audit problems or failures involving non-production data.
However, a data breach’s cost can exceed the fine because a portion of the lost revenue is caused by stopped operations. According to a recent Splunk report, human errors related to cybersecurity, such as clicking a phishing link, were the main cause of downtime incidents.
Unplanned downtime costs the world’s largest companies$ 400 billion a year, with contributors including direct revenue loss, diminished shareholder value, stagnant productivity, and reputational damage. Indeed, ransomware damage costs are predicted to exceed$ 265 billion by 2031.
The average cost of a data breach in 2024 is$ 4, according to IBM. 88 million, a 10 % increase over 2023. According to the tech giant, 40 % of breaches involved data stored across multiple environments, such as public cloud and on-prem, and these cost more than$ 5 million on average and took the longest to identify and contain. This demonstrates that business leaders are right to be concerned about data sprawl.
SEE: Nearly 10 billion passwords were leaked in the biggest compilation of all time.
Taking steps to secure data in non-production environments can be resource-intensive
Data stored in non-production environments can be protected in a variety of ways, including by masking sensitive information. The Perforce report found that businesses have a number of reasons why they are reluctant to do so, including the fact that respondents find it challenging and time-consuming as well as the possibility that it will slow down the organization.
- Nearly a third of users are concerned that it may stifle software development because it can take weeks to securely replicate production databases to non-production environments.
- 36 % of respondents believe that software quality can be affected by masked data because it may be unrealistic.
- 38 % think the security protocols may inhibit the company ’s ability to track and comply with regulations.
Additionally, according to the report, 86 % of organizations permit data compliance exceptions in non-production environments to avoid the trouble of keeping it safe. These include using a limited data set, data minimisation, or gaining consent from the data subject.
Recommendations for securing sensitive data in non-production environments
The top four methods for protecting sensitive data in non-production environments were identified by the Perforce team:
- Static data masking: Permanently replacing sensitive values with fictitious, yet realistic equivalents.
- Data loss prevention ( DLP): A perimeter-defence security strategy that looks for ways to prevent data theft and loss.
- Data encryption: Temporarily converts data into code, allowing only authorised users to access the data.
- A policy that categorizes users according to roles and other characteristics and sets up their access to datasets in response to these categories.
According to the authors, it is difficult to generally protect sensitive data. AI/ML adds to that complexity.
“Tools that specialise in protecting sensitive data in other non-production environments — development, testing, and analytics, for example — are well-positioned to help you protect your AI environment. ”
