How worried should you be about your organization’s privacy and data safety? In a recent virtual panel discussion sponsored by HCLTech on X (formerly Twitter), two security experts agreed that you should be even more concerned than you probably already are.

“The biggest threat to digital privacy and security today is the belief and the perception that an organization or a person might have, that it won’t be them that will suffer a data breach,” said James Caton, Global Head of Data and AI Practice at Microsoft. In fact, this kind of complacency is deeply misplaced. Caton Metrics tracked by Microsoft suggests that the risks to data security and privacy are growing every day.

Where are the threats coming from? How should you respond? How do you even know your security has been breached? In a wide-ranging, hourlong talk, Caton and Andy Packham, Chief Architect and Senior Vice President of the Microsoft Ecosystem Unit at HCLTech, discussed the risks companies face now – and what they should do about it.

Two groups are responsible for the growing insecurity, in Caton’s view. “If you take a closer look at what is driving the increase in lack of security and privacy, it really falls into two categories. One is nation-state actors that have a political agenda, and the other is non-nation-state actors that have a monetization agenda,” he said.

Popular cyber-crimes now include stealing data and holding it for ransom and surreptitious crypto-mining on someone else’s computer platform, according to Caton.

Although data protection technologies have become more widely available in recent years, so have tools for cyber-criminals, Caton said. “It’s easier today to make money from cyber threats than before. You can buy malware online on the Darknet for pennies on the dollar,” he added.

It’s a whole ecosystem now, including malware developers, who build the software, and malware distributors, who conduct phishing campaigns and then catch and sell the data.

Guarding against theft and attack is also becoming more difficult now as the supply of data continues to grow and the number of places from which data can be accessed expands. “We’ve created a phenomenal amount of data — it’s grown exponentially and carries on exponentially growing. It’s also accessible from multiple locations, not just in the office with our data center and firewall wrapping it all nicely up in safety,” said Packham.

This physical dispersion is also creating new risks, according to Packham, particularly devices connected to the Internet of Things (IoT).

These too will require special treatment, as many IoT devices are in physically demanding locations. “It’s a very difficult environment. It’s not your clean office. Your environment can be very dusty, can be very dirty, it can be down a mine or out in the North Sea,” he continued.

The AI risks

To make IT security more challenging still, new risks are emerging. Generative AI, Caton said, “opens up a whole new field of opportunity and also potential threats for data security.” On the one hand, it could help security by creating enough background “noise” to obscure the movement of critical data in a network. “On the flip side, I can easily imagine generative AI being used to attempt to overwhelm systems or to simulate authentic data to gain access to stuff,” he said. One emerging possibility he noted: many financial systems now use voice recognition software for authentication, but could generative AI be trained to mimic your voice closely enough that it could gain access to your accounts?

Then again, AI will also make detection easier. “AI will start to allow us to look at patterns and trends and identify things that look out of place over a much, much longer time period in much noisier environments and then flag those up for investigation,” Packham explained.

Raising your security game

Caton warned that companies need to think of security more broadly now than they did in the past. “One misconception is that if my people are compliant and participating in security protocols and data protection protocols, then I’m covered,” he said.

This is no longer true. Many breaches happen at the device level, Caton pointed out. “We have found at Microsoft that 78% of devices on networks have known vulnerabilities,” he said. Half of those can be patched or upgraded. The other half, however, can’t be corrected.

Vendors, too, can be a source of vulnerability according to Caton, “so if you’re an organization, that has strong policies for your people, strong policies for your devices, make sure you cascade those policies to vendors and partners that interact with your IT systems.”

A difficult tradeoff

But it’s not always easy to strike the right balance between security and opportunity. “You want to lock everything down, and you want to protect everything, but on the other hand, you can’t then run your business,” said Packham.

Instead, companies should think about which data they need to protect most. “It needs to be a layered response, and it needs to focus and understand which parts of all the data are really confidential and need to be kept really secure,” he explained.

Coming up with a plan like this is not easy. “It sounds easy,” Caton said, “but it’s hard to execute.” Cultural issues and operational issues, such as working for a company where people sometimes work from home or on their own devices, can create challenges. 

Packham also suggested preparing for the worst. Get the right people from the business and IT in one room and walk through what the company would need to do if it were attacked. This should include not just the immediate lockdown but the aftermath. Do you have the processes in place to manage your customers? What is your legal responsibility to inform your customers if their data has been compromised? If there is a compliance issue and this gets into the press, how are you going to manage that? You need to have all that thought through before it happens, Packham said, “because it probably is going to happen to us all at sometime.”