Data Privacy Day 2022: Ransomware’s Success is Data Privacy’s Failure

Summary

Catalyst

This is the third annual Omdia report covering Data Privacy Day, which falls on January 28. How are organizations managing to address data privacy? Regulations and customer expectations drive the need for data privacy, yet there are all too frequent reports of data privacy failures. Ransomware continues to be a scourge on society, not only making corporate data inaccessible until a ransom is paid (including PII, personally identifiable information), but also threatening to expose this data if the ransom isn’t paid. A poll on Dark Reading finds that fewer than one-quarter of organizations believe that they are fully prepared for a ransomware attack, leaving the remaining three-quarters highly susceptible to such an attack, in turn threatening data privacy.

Omdia view

For the purposes of simplicity, this research will refer to Data Privacy Day as also including the alternative name Data Protection Day. Marking the day is designed to raise awareness of data privacy and promote good practice to protect information.

Today’s organizations are often caught in a catch-22 situation as transformation projects continue apace, creating more data for attackers to potentially compromise or exfiltrate. Data exposure consistently accounts for the outcome of over two-thirds of reported security breaches, according to Omdia’s Security Breaches tracker. The leading ways in which the data is obtained for exposure are hacking, supply chain attacks, and ransomware. Much of the exposed data will fall under data privacy regulations, meaning that organizations must initiate a process to report the breach according to whichever regulations apply.

Ransomware will continue to be a hugely successful method of attack that organizations must defend against, with data privacy regulations a significant part of the equation. Focusing on the information lifecycle (create, process, store, transmit, destroy) will help organizations understand what data requires protection and where it resides. Furthermore, classifying data appropriately is important as data is not equal: some data will require strong protection and other data will not. By understanding these nuances, companies can begin exploring more advanced approaches to ransomware, as with the use of artificial intelligence (AI) to see unseen patterns in the data that may point to a potential incursion or threat.  

Key messages

• Organizations recognize the importance of data privacy but are still falling short in its application.
• The continued threat of ransomware must play a bigger role in organizational protection of customer data.
• AI plays a role in addressing ransomware.
• Fighting ransomware starts with data.

Recommendations

• Get tactical—turn plans to protect data across the board into action. Organizations know that protecting data is vital but are still struggling to turn this into action. Control of the information footprint is essential to provide the appropriate protection.
• Review and improve plans to protect the organization from a ransomware attack. Don’t be part of the over three-quarters of organizations without an adequate plan to deal with a ransomware attack. Prevention is better than cure, when the “cure” could result in fines, whether paying the ransom or not, let alone the cost of recovery and remediation. Protect and back up organizational data with defense-in-depth measures.
• Invest in AI expertise. Companies interested in securing data privacy and in particular protecting themselves from ransomware should absolutely consider an investment in AI-capable tools as a means of both identifying and responding to data privacy risks through ransomware. However, these tools demand a high degree of technical expertise specific to both AI and the data under protection. Companies should, therefore, seek out technology partners that provide a high degree of transparency into all in-product AI. Additional benefits include a professional services component. Potential buyers should also invest directly in in-house AI expertise to ensure the proper operation of this software over time.
• Take a multi-pronged approach. There are different avenues available to enterprise practitioners in tackling ransomware. For example, a wide swath of security providers offer AI-assisted anomaly detection and response; conversely, some backup and recovery vendors are also building AI capabilities into their respective solutions focused on identifying risk and facilitating recovery. Omdia recommends IT buyers consider employing both approaches simultaneously. Increased visibility into data usage patterns available from backup solutions, for example, can greatly improve the efficacy of security tasks such as network intrusion.

Organizations recognize the importance of data privacy but are still falling short in its application

The management of security, identity, and privacy is the leading IT trend for 2022

Omdia’s annual IT Enterprise Insights survey (2021–22) found that the management of security, identity, and privacy is the leading IT trend for almost 20% of organizations, second for over 14%, and third for 15% (see Figure 1).

Figure 1: IT Enterprise Insights 2021–22 – Importance of technology trends Source: Omdia

The world has changed during the COVID-19 pandemic, and organizations have had to evolve where they can and change/update the ways in which they do business. Transformative projects continue apace—the creation of digital capability is a clear second for top technology areas in the above chart —but securing these new capabilities and maintaining the privacy of data is a distinct priority. Organizations the world over recognize that the management of security, identity, and privacy is hugely important to their wellbeing.

A proactive approach to cybersecurity and digital risk eludes many

Knowing that something needs to be a priority is quite different from making it happen. Returning to Omdia’s IT Enterprise Insights survey, one of the questions asked every year is how well organizations are doing on having a fully proactive approach to cybersecurity and digital risk. The results show that globally, across all sectors, around 17% of organizations have a fully developed proactive approach to cybersecurity and digital risk, and a further 31% describe themselves as well advanced, with some variation by region (see Figure 2).

Figure 2: IT Enterprise Insights 2021-22 – Proactive approach to cybersecurity and digital risk Source: Omdia

What this means for organizations today is that although a total of 48% have a fully developed or well-advanced approach to cybersecurity and digital risk, 52% have a substantially inadequate approach. This does represent good progress from the 2020–21 survey, where globally a total of 58% of organizations had a substantially inadequate approach (15% had a “complete” approach and 27% a “well advanced” approach).

It is a step in the right direction, but there’s a long way to go. Security breaches of data that should remain private will continue because organizations are failing to secure data appropriately, with far too many examples of this happening on a frequent basis.

The continued threat of ransomware must play a bigger role in organizational protection of customer data

Ransomware will continue to be a scourge on organizations

Omdia’s Security Breaches Tracker records publicly available notifications of security breaches, currently containing data for 2019, 2020, and 1H21. Ransomware consistently appears in the top three breaches by method, having accounted for around 20% of breaches in the first half of 2021, and almost one-quarter in 2020 (see Figure 3—note, 2021 data only covers 1H, not the full year).

Figure 3: Omdia security breaches tracker – share of breaches by method Source: Omdia

Ransomware as a pejorative term has entered almost everyday parlance. Most organizations are likely to have suffered from a successful or attempted ransomware attack—some of the successful ones are reported upon but many are not, and the unsuccessful attacks are rarely recorded. One of the highest profile (and “successful”) ransomware events of 2021 was the Colonial Pipeline attack in the United States, where the attackers appeared genuinely surprised by how much disruption had been caused, apologized, and took the surprisingly low ransomware payment of around $4.5m, some of which has since been recovered.

Attackers have increased the stakes in ransomware attacks, moving to a “double whammy” approach for many organizations hit by such attacks. The first “whammy” is for the attacker to lock the ransomed data so that the victim cannot access it without paying a ransom. It is also not guaranteed that the data will be unlocked even if the ransom is paid. Some organizations refuse to pay a ransom, which leads to the second “whammy” of the ransomed data being exposed or put up for sale if the ransom was unpaid. This means that, of course, the victim organization is frequently in breach of data privacy regulations, with ransomed data often including PII.

Furthermore, some organizations are not legally allowed to pay a ransom, including those listed on the New York Stock Exchange (NYSE). The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, highlighting “the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory goes on to state that “companies that facilitate ransomware payments… not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Not only has ransomware been a blight throughout 2020 and 2021 (and prior), but it will continue in 2022 and beyond. Throughout 2021, Dark Reading conducted a poll on organizations’ ability to respond to a ransomware attack, and the results from mainly cybersecurity professionals show that fewer than a quarter of respondents are confident in their organization’s ability to respond to a ransomware attack and maintain regular operations (see Figure 4).

Figure 4: Lack of ransomware preparedness prevalent across enterprises Source: Dark Reading

This leaves well over three-quarters of organizations without an adequate plan to deal with a ransomware attack. Protecting data, and for much of that data, ensuring its privacy, has not been given sufficient attention by many organizations, and ransomware attacks are taking advantage of this. Organizations must take it upon themselves to discover, identify, and define their data, classify it appropriately, and provide appropriate protection against a ransomware attack.

Investment planned in data privacy, security, quality

According to Omdia IT Enterprise Insights 2021–22, the leading area of investment for data and analytics is data privacy, security, and quality, with one-third of organizations planning strategic investment and a further 30% planning minor investment, also reflected in the regional breakdown (see Figure 5).

Figure 5: IT Enterprise Insights 2021-22 – Investment plans for data privacy, security, and quality Source: Omdia

However, investment in technology alone will not be enough. People and process also play crucial roles in data protection and data privacy, and comprehensive information lifecycle management is essential to provide adequate and appropriate protection of data.

Organizations need to understand what data needs protection; it is impossible to protect what is unknown. However, rarely does an organization have a complete picture of its data environment, so the focus is on controlling data as much as possible so that it can be appropriately protected. More granular control over the handling of data is required throughout its lifecycle: create, process, store, transmit, and destroy, and understanding how data lifecycle activities impact the overall data footprint within the organization.

As the data footprint grows, so does the requirement to implement appropriate protective controls over each stage in the lifecycle, and this must be a focus for organizations to protect data from ransom and/or exfiltration. In this way, organizations will be able to get a handle on the data that it needs to protect and secure in line with data privacy regulations.

AI plays a role in addressing ransomware

Ransomware presents a challenging problem for enterprise IT practitioners because it can take many forms, attacking perhaps a single machine or the entire company, employing a well-known piece of downloadable malware or nothing but the skillful hand of an attacker. Malware attackers can block access to data and/or systems, encrypt and lock data, or even move company data offsite. Attacks that take place over a keyboard (rather than via downloadable malware such as Bad Rabbit or WannaCry) are particularly difficult to detect and mitigate as they can dwell over time, appearing innocuous at first as attackers may use trusted routes of ingress as they move laterally through a target network. AI techniques such as unsupervised deep learning (DL) can help organizations understand attack targets and vectors by encouraging observability across the data lifecycle.

AI techniques can help identify and respond to anomalous activities associated with potential incursions in real time

Orthodox antivirus and end-point protection tools can protect sensitive data assets by seeking out known attack vectors and known malware using statistical methodologies (e.g., Bayesian antivirus software). Conversely, over-the-keyboard attacks demand an approach from the defenders that can see what in essence is not there—intent. Well, perhaps not the actual intent of a bad actor. But if companies can detect the wake of activity created by a potential wrongdoer, they stand a good chance of blocking or diverting an incursion before systems can be locked or data encrypted.

Here, AI offers many helpful tools that can help companies with malware. Statistical and mathematical machine learning (ML) algorithms like k-nearest neighbor and decision trees can identify malware payloads and known attack patterns, for example. Where AI really steps into the spotlight, however, is with deep learning (DL) neural networks. Unlike statistical and mathematical ML technologies that use known rules (e.g., “this is or is not a piece of malware”) to identify a potential attack, DL technologies can actually deduce the rules themselves. Popular DL algorithms including convolutional neural networks (CNN), recurrent neural networks (RNN), and long short-term memory (LSTM) can parse huge amounts of disparate data to build an understanding of the patterns in that data, patterns that may turn out to represent an attack.

For example, a DL algorithm looking at raw network traffic, file access logs, and other user activity measures can pick out patterns of activity that are not commensurate with normal operations. Put another way, DL can identify any outlying, anomalous signals in the data. These signals in effect greatly narrow the terrain that security professionals must traverse in searching for and mitigating potential malware incursions.

This ability to identify outliers is crucial in the fight against malware because quite often over-the-keyboard attacks are multi-stage and take place over time, often making use of trusted software and user actions. Because there’s often no “bad code” to look for, security practitioners instead need to look for breaks in the norm, for example a user gaining access to a system or data resource via a new location or at an unusual time. DL-capable malware tools look across a wide array of measures to identify any anomalous patterns from among the many relationships between users, resources, and activities.

Increasingly, graph analytics combined with DL techniques show great promise in exposing the subtle interplay of relationships between users, systems, and resources

Just as with use cases like credit card fraud detection, malware detection is all about patterns and relationships. Most financial institutions rely on graph analysis to find aberrant patterns in the relationship between credit cardholders, their location, shopping preferences/history, etc. Graph analysis, on a very basic level, is the exploration of the relationships (e.g., edges) between things (e.g., nodes). Given the success of graph analysis to spot erroneous relationship patterns, many enterprise IT researchers and technology providers are beginning to experiment with a blend of DL and graph analysis techniques in fighting malware. Graph neural networks (GNNs) such as graph convolutional networks (GCNs) are uniquely capable of learning the rules/patterns that surface within the relationship between structured and unstructured data across users, actions, and resources.

Fighting ransomware starts with data

There is a rich and diverse ecosystem of technology providers

Given the diverse and rapidly evolving nature of AI, it is no surprise to find a rich and diverse ecosystem of technology providers actively building AI-informed tools to fight malware. Broad-spectrum security providers are well-positioned to use AI as they intrinsically scan log files. Traditional antivirus players are well-positioned to detect known malware payloads tucked away in email and other forms of communication, and data backup and restore vendors are getting in on the act with AI-equipped tools that play an active role, both detecting and recovering from malware attacks. Backup and recovery tools are actually a crucial contributor to data security, as malware attacks and attackers will often seek to disrupt backup processes before they encrypt target data.

Data is simultaneously the greatest opportunity and greatest threat to fighting malware

Thanks to AI itself, many of these solutions come out of the box, ready to detect potential malware incursions without requiring that the customer bring AI expertise to the table prior to deployment. And yet, all these diverse approaches to malware identification, mitigation, and response depend upon one common denominator—data. Data is simultaneously the greatest opportunity and greatest threat to fighting malware, with or without the application of AI techniques. As most enterprise practitioners have discovered, success with AI in any capacity doesn’t depend on the amount of data thrown at the problem but instead on the quality and most importantly the understanding of that data.

Enterprise IT practitioners considering investing in AI as a means of fighting ransomware, therefore, must first build an understanding of their entire data landscape as it pertains to data security and privacy. This means building solid metadata defining ownership, access, privacy exposure, locality, etc. On top of this, companies must establish a set of governance requirements that span the full information lifecycle (create, process, store, transmit, destroy). Fortunately, both within and beyond the confines of the security industry, technology providers are presently laser-focused on helping companies build a consistent view of company operational, system, and analytical data using the concept of a data fabric.

Over time, Omdia expects these metadata efforts to more closely align security and business practices. At that time, companies will likely provision an AI-capable malware tool in the same way they provision any cloud-native service, by specifying data sources and flipping the “on” switch. Until then, companies without an existing investment in a data fabric may find themselves somewhat handicapped without the ability to “observe” the entirety of the system of resources they’re seeking to protect. In other words, fighting malware, just like fighting data privacy risks, demands a high degree of data literacy, domain expertise, and governance.

Appendix

Further reading

2022 Trends to Watch: Data Security (November 2021)

Data Privacy Day 2021: Data privacy must beimproved in a changed world (January 2021)

On Data Privacy Day, A Demand for Better Data Management (January 2020)

Author

Maxine Holt, Senior Director, Cybersecurity

Bradley Shimmin, Chief Analyst, AI Platforms, Analytics, & Data Management

askananalyst@omdia.com