VIEWPOINT

2024

B I G DATA? B I G S E C U R I T Y !

How to protect your data from the

increasing risk of cyber threats

The revolution introduced by the digitization AUTHORS

process has made it possible to generate and collect
increasingly expanding volumes of data. As a result, Mario Nico
public and private organizations must define new Michael Kolk
strategies, design and implement protection systems,
Dario Garante
adapt their operational models, and learn to manage
information by mitigating the risks linked to cyber Riccardo Calogiuri
threats — while remaining in compliance with the Lorenzo Cimarelli
provisions of the main regulations in force. In this
Viewpoint, we describe the measures organizations
must take to mitigate risks.
 VIEWPOINT ARTHUR D. LITTLE

MORE DATA , MORE AT TACKS! C Y B E R AT TA C K S H AV E

INTENSIFIED SINCE END
Data is a fundamental business asset. Its
loss or compromise can significantly harm
OF THE FIRS T QUARTER
companies and organizations in terms of OF 2023
financial performance, brand reputation, or loss
of customers. Whether an organization leverages
data to run its business, or data is a byproduct Nevertheless, as data increases exponentially,
of conducting day-to-day operations, or the there has been a continuous growth of
institution sells data assets as a one-off product, cyberattacks (although a direct correlation has
all data must be managed, protected, tracked, not been proven). Infosecurity Magazine reports
and updated. The economic value of data is that cyberattacks against government agencies
further amplified as enterprises go through and public sector services increased by an
digital transformation, leading to increased astounding 40% in the second quarter of 2023
data production. over the first quarter. BlackBerry Cybersecurity

Organizations have not yet grasped all aspects claims it stopped 1.5 million attacks over the 90

concerning data, including these important days from March to May 2023, of which 55,000

considerations: targeted the public sector. Analysis of data shows

that cyberattacks have intensified since end of
- Who can access the data, and what data
the first quarter of 2023. According to BlackBerry,
can they see?
the highest distribution of cyberattacks during
- How can data be protected from illicit that period included:
access attempts?
- Financial institutions
- How competent are users, and how do you
- Healthcare services and equipment
ensure they continue to be informed about
risks associated with processing of information? - Government/public entities

In the Viewpoint “The Cyber Battlefield,” - Critical infrastructure

Arthur D. Little (ADL) shared several strategies Further analysis of the types of attack reveals
for companies to establish cybersecurity the reasons behind a cyberattack fall into two
capabilities. While most data security breaches categories:
(74%, according to Verizon) are generated
1. Economic. Perpetrated by criminal
by internal user error, employing IT systems
organizations, these attacks take advantage
such as privileged access management allows
of a variety of available tools (e.g., ransomware,
organizations to govern user access to information,
distributed denial-of-service [DDoS], malware,
limiting the risk of unauthorized access. At the
phishing) to return a profit. As an example,
same time, it is possible to adopt solutions (e.g.,
consider the case of the UK’s Royal Mail, which,
security information and event management) to
following a ransomware attack in January
control who accesses what and monitor how data is
2023, refused to pay the £67 million (about
changed. Such IT systems enable organizations to
US $85 million) the perpetrators demanded.
detect abnormal behaviors that can be traced back
to malicious access attempts, allowing timely
intervention. Investments like these enable
organizations to respond proactively to the
risks generated by cyberattacks.

BIG DATA? BIG SECURITY! 2

 VIEWPOINT ARTHUR D. LITTLE

2. Political. These attacks are, at their base, REGUL ATORY L ANDSCAPE

related to political issues (sometimes local TR ANSFORMATION
but more often international). They can often
be traced to acts of activism but may also According to DemandSage, an average of 328.77
be used to foment cyber wars and can be million terabytes of data is created every day. But
compared to acts of terrorism. For example, the ability to ensure the proper management and
in November 2023, Russian hackers breached protection of data remains elusive. While from a
22 Danish power companies in the context of security and privacy perspective the EU General
tensions between the Russian Federation and Data Protection Regulations (GDPR) has raised
the NATO blockade. a shield to defend information, the regulation of
big data use still awaits final approval of the EU
Considering the high costs of data breaches
Data Act, which is joined by the AI Act (legislation
in terms of money (IBM estimates the average
focused on regulating data analysis processes
cost of a data breach in 2023 to be US $4.45
based on artificial intelligence [AI] technology).
million), time, and reputation, the importance
Both legislative acts face a path of about 12
of preventing attacks is abundantly clear. For
months (end of 2024) awaiting definitive approval
this reason, organizations must:
by the EU. Thereafter will begin the process in
- Understand the regulatory landscape — which the acts are transposed into national law
to unlock the value of data; protect data from by EU countries.
unauthorized access, disclosure, alteration,
Although GDPR’s reach extends only to personal
or destruction; and maintain the privacy of
data, the Data Act encompasses both personal
individuals and organizations
and nonpersonal data, making its range of
- Commit to increasing investments in application notably wider. The Data Act aims to
defensive technological solutions — with eliminate data-access hurdles for both public
the goal of better understanding competition, and private organizations, making it simpler
customers, and technological trends; to transfer data among service providers and
supporting business growth; and ensuring encouraging a broader range of participants,
secure management of information including small and medium-sized enterprises,

- Adopt standards and frameworks and to engage in the data economy. These new

define business practices — to guarantee regulations will empower consumers and

a qualitative and quantitative level of businesses to have a voice in determining the

information security, continuously adapting to usage of data produced by their connected

the growing number of attacks and balancing devices.

data sharing with protection (see the ADL

Viewpoint “Harnessing External Data Sharing
to Unlock Transformative Collaboration”).

BIG DATA? BIG SECURITY! 3

 VIEWPOINT ARTHUR D. LITTLE

Additionally, with increasing integration of AI COMMITMENT

systems into everyday life, issues surrounding TO INVES TMENT S
data protection and ethical considerations have
come to the forefront. Cybercriminals could use The growth in data availability is leading
AI to easily develop malware that can discover companies, both public and private, to make ever
previously unknown vulnerabilities or evade greater investments in the acquisition of tools
detection and create sophisticated phishing and technologies for their management. The aim
attacks. GDPR supports the creation of AI and big is to know about the competition, customers,
data applications that effectively strike a balance and innovative technological trends and tools; to
between data protection and other societal and support business growth through the planning
economic interests yet offers limited guidance and implementation of effective strategies; and
on accomplishing this objective. Consequently, to ensure the secure management of information.
the AI Act aims to regulate AI through a risk-
But while investments have focused on the
based approach, which differentiates compliance
acquisition of know-how for the analysis,
obligations based on the potential risk that
processing, and visualization of information
intelligent software and applications may pose
and technological tools like business intelligence,
to fundamental rights. The higher the risk, the
data analytics, and AI systems, a report published
more substantial the compliance requirements
by the European Union Agency for Cybersecurity
and responsibilities for the creators of smart
(ENISA) highlights numbers linked to the main
applications.
growth drivers of information security spending
The completion of the regulatory path for both in 2023. The report identifies the main drivers of
the Data and AI Acts by EU countries will require the increase as hybrid working, transition from
public and private organizations to adapt within virtual private networks (VPNs) to zero-trust
certain time frames and change processes, network access, and the move to cloud-based
committing new budgets and adapting business deployment models. The study estimates an
models to ensure compliance. overall growth in spending in 2023 of $143 billion,
and the estimate for 2024 stands at $163 billion,
with a growth of up to 14% (see Figure 1).

Figure 1. Information security spending per region, 2023–

2026
Figure 1. Information security spending per region, 2023–2026

+10%
199
+12% 183 20
in US $ billions
+14% 163 19

17 48
143
44
15
38
33

131
120
108
95

2023 2024 2025 2026

North America EU Asia–Pacific

Source: Arthur D. Little, ENISA

BIG DATA? BIG SECURITY! 4

Source: Arthur D. Little, ENISA
 VIEWPOINT ARTHUR D. LITTLE

G R O W T H I N D ATA According to the ENISA report, the largest

increases in spending in 2024 concern cloud
AVA I L A B I L I T Y I S
security (+24% year-over-year [YoY]), in
L E A D I N G C O M PA N I E S
accordance with the substantial and general
T O M A K E E V E R G R E AT E R migration process from proprietary on-premises
INVESTMENTS IN THE architectures to cloud solutions, and data

ACQUISITION OF TOOL S privacy (+24% YoY), as the organizational focus

remains the processing of data for privacy
AND TECHNOLOGIES
purposes (see Figure 2).
FOR THEIR MANAGEMENT
The factors behind these numbers are linked
to the growing risk of cyber threats as well as
the changes affecting organizations and their
The report predicts sustainable growth through
operating models in the process of adapting to
2026, with double-digit percentages every year.
the new business paradigm, which acknowledges
By geographical area, North America represents,
data as a fundamental asset for companies, both
on average, two-thirds of annual global spending.
public and private. This value makes the level of
The gap between North America and other areas
security implemented and perceived increasingly
highlights a greater focus on security issues in
critical: first, to guarantee regulatory compliance
this region and emphasizes the need for other
and secure the value that the company will be
areas to increase investments to bridge the
able to generate from access to information,
technological and cultural gap.
and second, as an element that is of concern
to stakeholders and shareholders.

Figure 2. Growth in worldwide end-user spending in security and risk,

2023–2024
Figure 2. Growth in worldwide end-user spending in security and risk, 2023–2024

Other
information
Data Cloud security
privacy security software

24% 24% 24%

Data
Identity Infrastructure security
access protection
Network Application
security security management 19%
18%
equipment
Integrated 15% 15%
risk Security 13%
management services

10% 10%
Consumer
security
software

5%

Source: Arthur D. Little, ENISA

Source: Arthur D. Little, ENISA 2

BIG DATA? BIG SECURITY! 5

 VIEWPOINT ARTHUR D. LITTLE

BIG DATA? BIG SECURITY! 6

 VIEWPOINT ARTHUR D. LITTLE

APPLYING PROPER Adopting a standard framework allows

FR AME WORKS & organizations to achieve a series of benefits,

BUSINES S PR AC TICES including:

A structured framework is crucial for effective

- Information security awareness — enabling
the implementation of robust measures for
information security management. In considering
safeguarding sensitive information
information security and personally identifiable
information (PII) protection, organizations can - Risk mitigation — gaining a deeper

refer to widely recognized standards such as understanding of risk management and

ISO/IEC 27001:2022 or the NIST Cybersecurity providing the ability to identify vulnerabilities,

Framework (CSF). These standards offer assess risks, and implement strategies to

structured frameworks and best practices mitigate them

for evaluating and mitigating information - Regulatory compliance — complying with

security risks. The adoption of an organizational relevant laws and evolving regulations,
framework can enhance time to market by providing a proactive approach to maintaining
standardizing processes, automating security information security

-
and privacy compliance, and establishing
Enhanced reputation — increasing an
consistent measures.
organization’s reputation and providing
Table 1 highlights the main characteristics of greater confidence of an organization’s
the two frameworks, but it is important to specify customers and partners, fostering better
that these frameworks often cover the same relationships and creating additional business
areas, such as identifying risks, implementing opportunities

-
controls to reduce risks, and monitoring
Cost savings — following the initial
performance. An organization can integrate the
investment, prompting medium/long-term
frameworks synergistically to create a holistic
benefits due to increasing information
approach to cybersecurity.
security “culture,” decreased likelihood of
breaches, and subsequent reduction in legal
fees and reputational damage
Table 1. Approaches of different frameworks
Table 1. Approaches of different frameworks

ISO/IEC 27001:2022 NIST CYBERSECURITY FRAMEWORK 2.0

Improving an organization’s information Managing & reducing cybersecurity risks

Focus security management system to networks/data

Provides systematic approach to managing Provides a framework that any organization can
sensitive company information, including use to elevate the maturity of its cybersecurity
Brief description data management, access controls & risk risk programs
management

93 controls divided between 4 themes: 6 functions to customize cybersecurity controls:

1. People (8 controls) 1. Identify
2. Organizational (37 controls) 2. Protect
Number of 3. Technological (34 controls) 3. Detect
requirements 4. Physical (14 controls) 4. Respond
5. Recover
6. Govern

Involves series of audits & certifications Voluntary, allows organizations to implement

Expected cost that involve greater expense the standard using preferred pace & resources

Source: Arthur D. Little, OneTrust

BIG DATA? BIG SECURITY! 7

 VIEWPOINT ARTHUR D. LITTLE

In general, the ISO/IEC 27001:2022 standard is By aligning with these well-established

useful for operationally mature organizations standards, organizations can methodically
that aim to put in place or improve their entire identify and address potential threats,
information security management cycle and are safeguarding both information security and
seeking certification to demonstrate the company’s privacy, while demonstrating their commitment
dedication to security and compliance. Conversely, to compliance and data protection. It is important
the NIST CSF is more suited to evaluating maturity to remember that there is no one-size-fits-all
in the first stages of developing a cybersecurity risk approach, so every organization must choose the
management plan or in attempts to mitigate prior model that best suits its needs.
failures or data breaches.

Case study: Protecting water resources in Italy

A project in Italy sought to enhance the - Internet of Things (IoT) sensors

information assets of the surveillance system
for territory governance and the protection of
- Remote sensing through optical and radar
images acquired by the Sentinel-1 (radar)
water resources. Its primary objective was to
and Sentinel-2 (optical) constellations of
defend water sources from anthropogenic and
the European Space Agency (ESA) Copernicus
natural threats through an integrated monitoring
program
network to assess the status of water resources
and soil. - Video surveillance

ADL designed a system to monitor the quality, - Web application for viewing geospatial

availability, and safety of water by allowing data and monitoring dashboards

authorities — on the basis of their responsibilities The system included a segregated network,
and competences — to take the measures protected by a multifactor authentication
necessary for mitigating criticalities and risks, firewall, externally accessible only via VPNs and
promoting appropriate prevention actions. with firewalls installed on individual servers. The
The project’s complexity centered around the architecture was designed to manage information
management of a critical amount of vital data. in compliance with ISO/IEC 27001:2022 standards
In addition, the information management system to ensure maximum security of strategic
needed to ensure that the data could support information, while internal processes were
various authorities’ investigations, particularly formulated to define the correct collection
in the detection of environmental crimes and in and maintenance of information in compliance
allowing for those investigations to be carried out with GDPR. To this purpose, ADL supported
to ensure their nonrepudiation. the implementation of privacy fulfillment

The system, structured to support the customer’s using privacy by design, risk analysis, and data

functions of planning, management, and protection impact assessment.

monitoring of existing resources, as well as

communication to and from the outside, was
built utilizing data and information from:

BIG DATA? BIG SECURITY! 8

 VIEWPOINT ARTHUR D. LITTLE

BIG DATA? BIG SECURITY! 9

 VIEWPOINT ARTHUR D. LITTLE

CONCLUSION

SECURIT Y CONTINUOUS
IMPROVEMENT

O R G A N I Z AT I O N S M U S T M A N A G E
T H E E V O L U T I O N O F R E G U L AT I O N S
A N D T E C H N O L O G Y T R A N S F O R M AT I O N

Increases in data and digitalization processes have led to an

escalation of cyberattacks against companies and institutions
as well as to a continuously evolving regulatory environment
and a need for companies to constantly adapt to the changing
dynamics of the data economy. Thus, organizations must
invest in technologies for prevention and protection, while
at the same time provide communications and trainings to
ensure their people are aware of the culture of security as
good business practice. Overall, organizations must manage
the evolution of regulations and technology transformation,
paying particular attention to:

1 Assessing information security maturity and the level

of risk exposure

2 Identifying and adopting frameworks to adapt to

international standards and regulatory compliance
requirements

3 Defining an adequate budget and embracing technology

improvements to proactively respond to the risks of
cyberattacks

BIG DATA? BIG SECURITY! 10

 VIEWPOINT ARTHUR D. LITTLE

NOTES

BIG DATA? BIG SECURITY! 11

Arthur D. Little has been at the forefront of innovation since
1886. We are an acknowledged thought leader in linking
strategy, innovation and transformation in technology-
intensive and converging industries. We navigate our clients
through changing business ecosystems to uncover new growth
opportunities. We enable our clients to build innovation
capabilities and transform their organizations.

Our consultants have strong practical industry experience

combined with excellent knowledge of key trends and dynamics.
ADL is present in the most important business centers around the
world. We are proud to serve most of the Fortune 1000 companies, in
addition to other leading firms and public sector organizations.

For further information, please visit www.adlittle.com.

Copyright © Arthur D. Little – 2024. All rights reserved.