MFA and data governance will be critical for risk management in 2025

As we enter 2025, longstanding aspects of cybersecurity such as multifactor authentication (MFA) continue to gain greater importance at the same time that traditional approaches to data governance need an overhaul on three separate fronts. A closer look at these areas helps shine a light on the impact they’re poised to have and the necessary steps public sector organisations must take in the coming year to stay ahead of the “direction of travel.”

A move to mandatory MFA?

While MFA has been a bit of a slow-burning trend over the years, it is expected to gain momentum in 2025, partly due to Microsoft making MFA a default requirement for Azure account sign-in. This move aims to enhance security across Microsoft’s services by significantly reducing the risk of unauthorised access and account compromise.

As Microsoft enforces MFA, Google has also taken similar steps to enforce MFA to Google Cloud users. Other companies are sure to follow – and pressure will also likely come from cyber insurance providers and various regulatory bodies to get on board with MFA.

As these MFA dominos start tipping, the best bet for public sector organisations is to enable strong MFA by default across all platforms. One of the cornerstones of a zero-trust approach – a framework for enhancing overall cybersecurity – is to make it easy to incorporate zero trust principles into your critical infrastructure, and implementing strong methods of MFA that are “on by default” is one of easiest ways to accomplish this goal.

Regulatory requirements reshape the landscape

In the year ahead, public sector organisations also need to pay attention to data governance, which is becoming more complex due to several reasons – one of which is changing regulatory requirements.

The public sector is certainly no stranger to the emergence of stringent pieces of legislation from various corners of government. Several years ago, the European Union introduced GDPR, which the UK adapted and retained as the UK GDPR. And in the United States, California led the way with the California Consumer Protection Act (CCPA).

Meanwhile, the National Institute of Standards and Technology (NIST) has emphasised data governance as a foundational principle in its recently released Cybersecurity Framework 2.0 (CSF 2.0), further highlighting the importance of proper data governance.

Public awareness of data rights is increasing in this environment, which means an increasing volume of Data Subject Access Requests (DSARs). These DSARs will place additional pressure on public sector organisations to ensure that they’re capable of managing and retrieving personal data in an efficient manner.

In the UK, streamlined data management in line with the National Data Strategy (NDS) will be key here, not just for ensuring regulatory compliance but for promoting good data quality. Public sector organisations need a comprehensive understanding of data they possess, the location of that data, and the data retention and governance measures in place. A centralised repository for data, like a document management system (DMS), is a critical first step in tackling this challenge, because you can’t effectively manage or retrieve personal data if you don’t even know where it is.

A cautious approach to embracing generative AI

The rapid uptake of generative AI presents another data governance challenge for public sector organisations due to the large amounts of data used to train the underlying large language models (LLMs).

The risk here lies around the location of the data, and the location where the actual AI processing of that data takes place. For instance, UK or EU-based governmental organisations using US-based AI tools could create data sovereignty issues. Additionally, generative AI’s inadvertent ingestion of sensitive or privileged information raises confidentiality concerns.

Again, usage of a centralised repository like a DMS can better control what is used for AI training and help protect against these risks. This approach provides an easy way to enforce security policies around any confidential documents while effectively curating the knowledge assets that will be fed to the AI to train it. Furthermore, a platform approach that integrates AI and document management ensures that the data processed by AI remains within the specific data center utilised by the DMS, thereby reducing data sovereignty risks.

The ongoing fight against phishing

Phishing continues to threaten organisations of every type, and that includes the public sector. Unfortunately, generative AI has enhanced the ability to launch sophisticated phishing attacks at scale, presenting yet another data governance challenge for public sector organisations to wrestle with in 2025.

Education is one of the keys to countering this threat. Ongoing end-user awareness of common threats, such as phishing emails with suspicious links, is a helpful measure that can serve as “an ounce of prevention.” Phishing simulations can reinforce the lessons learned in training sessions and foster good cybersecurity hygiene.

Additionally, ensuring that critical systems within the organisation utilise a zero-trust framework helps mitigate risk by controlling data access. Beyond specific technologies, zero trust is an overarching strategy within the organisation around data management and access controls – and paying proper attention to it can help blunt the impact of phishing attacks and breaches.

Plan accordingly for the upcoming year

As public sector organisations navigate the cybersecurity landscape of 2025, adopting MFA, staying ahead of evolving regulations, managing generative AI risks, and combatting the ongoing threat posed by phishing will be crucial focus areas. By taking the appropriate measures, these organisations can enhance security and ensure robust data governance, creating a resilient framework that will strengthen risk management and minimise potential vulnerabilities for the upcoming year.