As we venture deeper into 2025, it’s an opportune time to remind ourselves that whatever places AI hasn’t already permeated, it will, in all likelihood, reach them sometime this year.
From a cyber threat perspective, because AI-powered attacks bring new risks at a quicker pace, organisations must take steps to swiftly identify and prioritize threats for mitigation based on their potential impact, if they don’t already have such a mechanism in place.
According to Thales’ 2024 Data Threat Report, threats to data security have increased as the digital landscape evolved. Almost all the APAC enterprises (95 percent) surveyed in the study reported an increase in threats in 2024 compared to the previous year. This will likely rise further this year as AI deepens its inroads into mainstream deployments.
Besides the pressure from within the business, organisations are being squeezed from the outside. Data privacy regulations are tightening across the world, and organisations’ failure to comply with them carries substantial financial and reputational penalties.
Key regulations in this region that are continuing to evolve include:
- Singapore’s Personal Data Protection Act (PDPA), which was strengthened in 2020 to enhance data protection measures. Notably, the amendments introduced new legal bases for processing personal data, including for legitimate interests or business improvement purposes, reducing the reliance on consent. New criminal offenses for individuals were also introduced.
- In Australia, a major review of the Privacy Act was conducted in 2020, introducing a new definition of "personal information" to capture a wider range of data, and stricter requirements for businesses to report data breaches, as well as greater rights for individuals to control their data.
- Japan’s Act on the Protection of Personal Information (APPI) in 2022 underwent amendments to strengthen personal data protection measures, aligning more closely with global standards like GDPR.
- China’s Personal Information Protection Law (PIPL), which was introduced in 2021 and is similar to the EU's General Data Protection Regulation (GDPR). The law aims to enhance personal data protection, establish data subject rights, and introduce stringent requirements for data processors.
- In 2023, India enacted the Personal Data Protection Bill (PDPB) to create a comprehensive framework for data protection and privacy. It has features like a clear consent framework and rights for individuals over their data; data localisation requirements for sensitive personal data; and the creation of a Data Protection Authority to enforce compliance.
Only with a consolidated view, can organisations respond effectively
Data storage and usage across the enterprise is immensely complex, caused by the need to track and manage vast volumes of data across multiple environments and solutions. Data volumes will grow even more with the ascent of AI. This means that the security model of some organisations – relying solely on reactive measures to keep data secure – can no longer work and needs to be rethought.
One of the biggest challenges today in managing complex data environments is the absence of a consolidated view of all the risks confronting an organisation’s data. This leads to overlooked incidents and ultimately, damage to the business.
Conversely, a clear, consolidated view of all their data assets will give organisations more complete risk visibility and prioritisation, lowered operational complexity and diminished total cost of ownership.
To make this happen, enterprises must be able to analyse their entire data estate (using technologies such as posture and behavioural analytics) to deliver deep visibility. Security teams must have a comprehensive view of data risk across key dimensions (including organisational, asset and regulatory), and use the appropriate integration of threat detection, encryption, and access control to proactively identify, assess, and manage data security risks across all data environments.
Only with such a risk-focused approach, data simplification, and implementation of the necessary remediation measures, can organisations strengthen their security and better protect the business based on their limited resources.
Thales’s Data Risk Intelligence (DRI) solution harnesses crucial data from Imperva Data Security Fabric (DSF), CipherTrust Platform, and third-party solutions to seamlessly connect a comprehensive range of data risk indicators.
The sophisticated analytics within DSF DRI empower it to present DSF users with a clear understanding of risks related to:
- User permissions;
- Data source vulnerabilities;
- Suspicious activities;
- Unencrypted sensitive data; and
- Overall organisational risk factors
By integrating DRI within their Imperva DSF, organisations gain a consolidated view of key data risk metrics that are transparent, flexible, and customisable. This enables a precise understanding of their risk profile and pinpoints critical areas where resources should be applied to maximise efficiency and effectiveness.
Think for the future too
Adopting effective solutions to protect data while meeting unique requirements and regulatory compliance needs, as above, will serve organisations’ current needs.
In the longer term, however, in tandem with the rise of quantum computing, another aspect organisations need to consider is strategies that ensure agility and resilience against present and future threats, such as “harvest now, decrypt later” attacks where information is stored today to be decrypted when quantum computers become available.
Organisations should prepare for post-quantum cryptography (PQC) now by creating a trusted environment for their business to test PQC-ready encryption, identify potential implications that quantum computing may have on the security of their infrastructure, and develop plans to quickly adjust.
Interim solutions, like using longer symmetric key lengths or out-of-band keys, should be considered. By getting a head start, organisations will minimise disruption to themselves and their customers, reduce costs and risks, and ensure business continuity during the transformation. Crucially, it will also position organisations to be fully compliant with NIST and other industry PQC regulations as soon as they’re announced.
Security leaders must find the time and resources to implement broad, long-term cybersecurity measures such as the above. Only then can organisations confidently protect critical data, meet regulatory compliances and ultimately deliver business impact.
Daniel Toh is the Chief Solutions Architect for Asia Pacific & Japan at Thales
