Organizations must contend with an ever-increasing amount of data that must be protected. This sensitive data is also becoming harder to classify and detect, with most data considered non-pattern-conforming. At the same time, companies face many opportunities for data loss, whether accidental or intentional, as bad actors increasingly seek access to sensitive information and avenues for accidental exposure continue to multiply.
3 Questions to Ask for a Holistic Data Security Approach
- Where is my sensitive data?
- How is the data being used?
- How do I protect the data?
Consequently, organizations must examine the top data risks today, consider why existing efforts to reduce or prevent these challenges are falling short and gain insight into how they can implement a stronger approach to data security and loss prevention. That means a robust, holistic and multilayered approach that includes Zero Trust and offers operational simplicity.
Top Data Security Risks Today
Modern enterprises face three pressing, persistent data security risks that carry severe consequences if left unaddressed.
The first is unintentional data exposure by the risky behavior of negligent, well-meaning insiders. This could be an employee who inadvertently overshares file links containing sensitive information with external viewers, stores company PII or IP in risky, unapproved SaaS apps, uses a generative AI tool to process source code or confidential drafts, or sends excessive sensitive data to a vendor. All of those actions are significant risks for data breaches.
Today, exposure channels are more numerous than ever, ranging from sanctioned and unsanctioned SaaS apps and AI tools to email and devices. Verizon’s 2025 Data Breach Investigations Report found that 68 percent of breaches involved a non-malicious human element.
The second risk is data breaches by malicious or compromised insiders or by external threat actors (hacktivists, criminals, state-sponsored). Examples of malicious insiders include a disgruntled employee copying customer contacts from SFDC or taking screenshots of a critical spreadsheet, sending data to a personal storage SaaS app or a USB storage device. There could also be an intentional exfiltration of sensitive files via a targeted attack. If a file type is protected, they might attempt alternative methods, such as using compressed formats or images and different egress points.
Organizations face a range of ever-evolving industry regulations on data privacy and security, such as the Gramm-Leach-Bliley Act (GLBA) for entities handling financial and payment card data; the Health Insurance Portability and Accountability Act (HIPAA) for those managing healthcare data; and the Sarbanes-Oxley Act (SOX) for U.S. publicly traded companies. In addition, there are a wealth of data privacy laws containing data security requirements that companies must adhere to, depending on where they do business, including but not limited to, the GDPR in the European Union, the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGDP).
A third concern is around compliance. As new rules, regulations and proposals come into effect on how and where companies manage and store data and protect privacy (including EO 14117 and state-level rules like the Maryland Online Data Privacy Act, which goes into effect Oct. 1, 2025), they run the risk of facing additional regulatory scrutiny on how they store and secure sensitive data. Compliance is critical to avoid fines and legal, as well as reputation, risks.
Successful data breaches can have devastating consequences for a business. Some of the primary consequences of the above problems are lawsuits, competitive loss, reputational damage and financial harm, regulatory fines and executive turnover. Gartner forecasts that 75 percent of the global population will be covered by privacy laws by the end of this year.
Standard Data Security Paradigms Are Failing
Current approaches to reduce or prevent these data security challenges are fundamentally broken. Traditional data loss prevention (DLP) solutions are built primarily for on-premises corporate settings, lacking the scalability needed for today’s hybrid work and cloud-based collaboration. With limited direct visibility into cloud and AI environments, they fall short in protecting much of today’s corporate data, which is now stored and shared in the cloud.
Due to outdated data detection methods, these solutions produce an excess of false positives, creating incident triage fatigue. Their static policies lack the contextual adaptability needed for today’s dynamic data, forcing organizations to rely on extensive manual policy tuning and large incident response teams. Additionally, traditional DLP systems are notoriously difficult to implement. Managing these architectures demands considerable resources, including manual updates, version rollbacks and troubleshooting.
Then there’s the multi-vendor approach with integrated data protection capabilities. Relying on multiple solutions for data protection creates significant blind spots and inefficiencies. They often result in inconsistent data classification and fragmented policies across applications, web traffic and devices. This siloed setup leaves critical gaps in protection.
Many of today’s new cloud-native and SASE-only DLPs have gaps in data discovery and classification, and these newer solutions often lack broader visibility outside their niche DLP use cases. Both legacy and multi-vendor approaches can sometimes produce too many false positives due to static, contextless and outdated data detection methods.
3 Questions to Improve Data Security and Loss Prevention
When it comes to securing sensitive data, customers need solutions that answer three critical questions:
- Where is my sensitive data? The solution must offer comprehensive visibility, automatically detecting and discovering sensitive data across clouds, AI systems, networks, emails, browsing activities, devices and users with high reliability. Ideally, it should use AI and large language models to better classify this data.
- How is it being used? The solution must monitor data usage, providing insights into how sensitive data is being accessed and whether it’s being misused, focusing on real risks, not false positives.
- How do I protect it? The solution must enforce protective measures, preventing data leakage by applying risk-based policies while educating and guiding employees to ensure compliance and safe data handling behavior.
A comprehensive solution must include a robust, holistic and multilayered approach that includes Zero Trust. Data security best practices and Zero Trust principles should be extended across all user actions and all traffic — both encrypted and unencrypted — and in the browser, where 85 percent of work happens, including recent innovations around mobile devices and frictionless password management.
Modern organizations now manage an unprecedented volume of data, all of which demands robust security. Securing this vast and varied information is inherently challenging, a difficulty compounded by several factors: much of this data lacks predictable structures or formats; external threat actors relentlessly innovate new attack methods; and internal risks from negligent or malicious insiders further endanger sensitive information. Faced with these multifaceted threats, traditional security solutions often prove inadequate and complex. Consequently, companies require a new data security paradigm.
Therefore, when evaluating new data security solutions, it's crucial to conduct thorough due diligence, ensuring they incorporate foundational modern principles like Zero Trust.
