Hot takes get a bad rap. Yes, sometimes they’re used to generate clicks or draw unwarranted attention—but most of the time a “hot take” is just an opinion that challenges conventional wisdom. The truth is, sometimes conventional wisdom needs to be challenged, and that’s especially true in a field like data security, where threats continuously evolve.

Do your business leaders understand that data manipulation is just as dangerous as data theft? Or that they’re probably relying on blind trust to keep their data safe? Those statements might seem controversial—but they’re true. In the security industry, what seems outlandish at first often turns out to be critical knowledge—so let’s analyze some of today’s most important data security “hot takes.”

Hot Take One: Manipulation is Just as Damning as Extortion

Today’s cybercriminals are doing much more than stealing data and financial extortion. While many security solutions focus on preventing the theft and exfiltration of data, protecting against the manipulation of data is just as important. While ransomware and other malware-based attacks usually leave a trail behind, manipulated data often goes undetected. This is a particularly challenging issue in high-trust and high-value environments where altered or inaccurate data can have a serious impact on the organization’s health—financial and otherwise.

Data manipulation is often done by internal actors and can include a wide range of fraudulent activity. Instances of financial impropriety are not uncommon and might include an employee approving illegitimate invoices or changing salary or bonus information. But data manipulation isn’t limited to financial data: Imperva recently detected corrupt correctional administrators manipulating their prison system’s data and reducing inmates’ prison sentences in exchange for bribes. Without effective detection tools in place, that activity might never have been noticed—and the impact on both the justice system and the lives of the individuals involved would have been significant.

Hot Take Two: Most Organizations Protect Data With Blind Trust

It’s a concerning thought, but the vast majority of organizations only observe and secure about 5%-10% of their data space. The reason why is no mystery: Today’s companies gather a tremendous amount of data, and monitoring all of it on a continuous basis is both time- and resource-intensive. As a result, most businesses prioritize what they consider “critical” data, such as credit card information and other easily identifiable data. Unfortunately, that means that the lion’s share of data within an organization’s digital environment is largely unmonitored—and unprotected.

This is an often-overlooked problem. Even if companies are good at protecting financial data in their own environments, what about the applications that access those payment systems indirectly? And what about other personally identifiable information (PII) like home addresses, phone numbers or even social security numbers? Unfortunately, attackers are often able to make off with valuable data simply because that data wasn’t considered critical. Organizations need to protect more than just the data they are told is important or regulated. They must expand their security scope to include any data that could be monetized or that could impact the business or its employees, customers and partners.

Hot Take Three: Compliance is Easy, but Security is Hard

Too many organizations fail to realize that there is a very real distinction between security and compliance. It’s important for security teams to be able to convey the difference to business stakeholders: Namely, that compliance frameworks outline the minimum acceptable standard to which organizations should hold themselves. Compliance means checking specific boxes and ensuring that your security team meets those minimum requirements—but it doesn’t necessarily mean you are secure against common data threats, much less today’s most pressing threats. The threat landscape is constantly changing, and compliance standards need time to catch up.

Today’s organizations shouldn’t consider their security controls “good enough” just because they check the compliance boxes. Being secure means anticipating the unknown and making sure your systems are secure enough to defend against not just current threats but emerging ones as well. Unfortunately, the world simply doesn’t have enough data security experts at the moment, and the ongoing cybersecurity skills gap has made it difficult for organizations to acquire the skills and experience they need to go beyond compliance and into true security.

Your Data is More Vulnerable Than You Think

Business leaders are often surprised to learn that their data is vulnerable, even if they’ve checked all of their compliance boxes. Likewise, they may not understand the danger that unmonitored data poses to both their organization and their partners and customers. However, the ability to illustrate the difference between a data security “hot take” and an unfortunate truth can help security teams generate the buy-in they need to keep their systems—and their data—secure.