Where is your data?
Who has access?
What’s at stake if it falls into the wrong hands?

These are the questions that keep IT and security professionals up at night. And for good reason, given the alarming rise in both frequency and sophistication of cyber threats. Threats feel more ubiquitous than ever, in part due to a new wave of less-savvy hackers leveraging AI to level up their capabilities.

The threat landscape has evolved. If your data security strategy hasn’t evolved along with it, the time is now. As in, sound-the-alarm-bells, all-hands-on-deck, right now.

This isn’t an easy fix, given the triple challenge of complex cyber threats, changing regulatory environments, and the proliferation of interconnected devices.

We know the stakes are enormous. But what’s the real scope of the data security threat? And, most importantly, what can leaders do to protect their organizations’ data?

The state of data security

In short, a whole lot of data is in play. And that data may not be as safe as IT and security teams would like to think.

Take these findings from a recent WinZip survey of nearly 500 cybersecurity-focused IT professionals at large companies.

• Sensitive data is everywhere. Among respondents, nearly 8 in 10 (79%) report that their company works with sensitive data including personally identifiable information (PII), payment card information (PCI), and/or personal health information.

Here’s where things get a little scary.

• Leaders are aware of gaps… Fewer than half (48%) of respondents describe their organization’s data security as “very strong.”

• …but don’t connect those gaps to real risk. Despite the stat above, the majority (64%) of respondents claim they are confident their organization will not experience a data security breach within the next 12 months.

Some of those folks, unfortunately, are likely to be wrong. A whopping 41% of respondents said that they had experienced at least one data breach in the past year.

Businesses in highly regulated industries should be particularly proactive. Failure to comply with data protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) can result in severe legal and financial consequences.

Can more investments in data security combat the high cost of breaches?

Post-breach remediation carries an astronomical cost, both in reputation repair (which may be irreparable), and in associated fines and labor. The average cost of a data breach stood at $4.35 million in 2022. With 4 in 10 of businesses falling victim in just one years’ time, there’s a clear need for proactive, anti-breach measures.

To be fair, it’s not as though IT and security teams are standing by, waiting for something to happen. The report found that 87% of respondents state that data security is “extremely important” at their companies. So, it’s a priority — but not yet a success story. And there’s a clear gap between what is prioritized from a policy perspective and what is actually implemented.

The good news: That gap may be narrowing. There’s a clear trend toward ramping up security expenditures, with 78% of respondents reporting that they will elevate their security budgets either moderately or significantly within the next year.

Of course, it’s not only about the amount invested, but also where and how the investments are made.

What can IT and security leaders do?

Things aren’t all doom-and-gloom. A few key strategies and best practices can enhance an organization’s data security position. Plus, consider this: Data security is usually discussed in the negative, as in, “Lack of data security causes XYZ problems,” However, implementing data security can be a huge positive for a business. Strong data security is a major selling point for customers and partners and can deliver competitive advantage far above and beyond loss prevention.

Strategies include:

• A zero trust security model. The traditional perimeter-based security model is becoming obsolete as more employees access company data from various devices and locations. “The zero-trust approach is a powerful, flexible and granular way to control access to data across an organization’s IT, network and security landscape,” according to Prashant Ketkar, our Chief Technology and Product Officer. Zero trust security considers every access attempt as potentially risky until proven otherwise. It incorporates principles like identity verification, multi-factor authentication, and granular access controls.

• Encryption. Encryption is another critical element of a successful data security program. Encryption can not only protect PII, PCI, and health information, but it is also an important part of human resources. Securing employee information is just as important as securing customer and partner information.

Zero trust security and IT-controlled encryption can be combined with regular data backups, employee training, multi-factor authentication and a well-defined incident response plan to shore up data security.

Staying three steps ahead

The threat landscape isn’t static, so data security can’t be, either. It is an ever-evolving field that demands constant vigilance and adaptability—made even more complicated by a dynamic regulatory landscape and hybrid work environments. “With remote and hybrid work becoming an integral part of the new work culture, IT administrators need to be focused on providing a digital workspace that ensures security and productivity no matter where employees are working in 2023 and beyond,” added Ketkar.

While specific threats and appropriate responses may change (and have probably changed in the time you’ve read this article), the basic principles are the same: Implement zero trust. Prioritize employee training. Don’t become complacent.

To make it easier, invest in technologies with security and encryption built in. Let your platforms do some of the work for you.  After all, it’s tough out there. Protecting your organization’s data should be your top priority. Now is the time to work smarter, not harder.