Data is essential for any organization. This isn’t a new concept, and it’s not one that should be a surprise, but it is a statement that bears repeating.
Why? Back in 2016, the European Union introduced the General Data Protection Regulation (GDPR). This was, for many, the first time that data regulation became an issue, enforcing standards around the way we look after data and making organizations take their responsibility as data collectors seriously. GDPR, and a slew of regulations that followed, drove a massive increase in demand to understand, classify, govern, and secure data. This made data security tools the hot ticket in town.
But, as with most things, the concerns over the huge fines a GDPR breach could cause subsided—or at least stopped being part of every tech conversation. This isn’t to say we stopped applying the principles these regulations introduced. We had indeed gotten better, and it just was no longer an interesting topic.
Enter Generative AI
Cycle forward to 2024, and there is a new impetus to look at data and data loss prevention (DLP). This time, it’s not because of new regulations but because of everyone’s new favorite tech toy, generative AI. ChatGPT opened a whole new range of possibilities for organizations, but it also raised new concerns about how we share data with these tools and what those tools do with that data. We are seeing this manifest itself already in messaging from vendors around getting AI ready and building AI guardrails to make sure AI training models only use the data they should.
What does this mean for organizations and their data security approaches? All of the existing data-loss risks still exist, they have just been extended by the threats presented by AI. Many current regulations focus on personal data, but when it comes to AI, we also have to consider other categories, like commercially sensitive information, intellectual property, and code. Before sharing data, we have to consider how it will be used by AI models. And when training AI models, we have to consider the data we’re training them with. We have already seen cases where bad or out-of-date information was used to train a model, leading to poorly trained AI creating huge commercial missteps by organizations.
How, then, do organizations ensure these new tools can be used effectively while still remaining vigilant against traditional data loss risks?
The DLP Approach
The first thing to note is that a DLP approach is not just about technology; it also involves people and processes. This remains true as we navigate these new AI-powered data security challenges. Before focusing on technology, we must create a culture of awareness, where every employee understands the value of data and their role in protecting it. It’s about having clear policies and procedures that guide data usage and handling. An organization and its employees need to understand risk and how the use of the wrong data in an AI engine can lead to unintended data loss or expensive and embarrassing commercial errors.
Of course, technology also plays a significant part because with the amount of data and complexity of the threat, people and process alone are not enough. Technology is necessary to protect data from being inadvertently shared with public AI models and to help control the data that flows into them for training purposes. For example, if you are using Microsoft Copilot, how do you control what data it uses to train itself?
The Target Remains the Same
These new challenges add to the risk, but we must not forget that data remains the main target for cybercriminals. It’s the reason we see phishing attempts, ransomware, and extortion. Cybercriminals realize that data has value, and it’s important we do too.
So, whether you are looking at new threats to data security posed by AI, or taking a moment to reevaluate your data security position, DLP tools remain incredibly valuable.
Next Steps
If you are considering DLP, then check out GigaOm’s latest research. Having the right tools in place enables an organization to strike the delicate balance between data utility and data security, ensuring that data serves as a catalyst for growth rather than a source of vulnerability.
To learn more, take a look at GigaOm’s DLP Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.
If you’re not yet a GigaOm subscriber, sign up here.