The True Cost of Privacy (Information and Data Security Deep-Insight Q4-2023) for Cyber C-Suite, Tech Leaders & Execs
Addressing cyber risk remains a challenge for organizations - (Cybersecurity outlook report WEF 2023).
The New Service-driven economy has influenced the migration to the internet’s dependent cloud-dominant business model that involves data distribution as information; Data exchange, processing of information as Services, and Digital data storage, which has given rise to a remote-hybrid workforce, attracting disruption watchdogs, financially motivated threat actors, and Advance persistent threat agents influenced by state actors across geo-political landscape. Hence the manipulation and exploitation of soft systems with superior technologies such as Artificial intelligence, Quantum Technology, Blockchain, and other open-source intelligence techniques, persists.
Loss of Privacy, Rise of Digital Surveillance, and Authoritarianism were identified as the 3rd Emerging Future Threats (ENISA Foresight Cybersecurity Threats for 2030).
At an average of $804,997 per incident, credential theft is the costliest to remediate (Cost of Insider Threats Global Report. 2022).
"It is becoming increasingly difficult for organizations to know who has access to what data across and across which cloud platforms." - (Microsoft Security 2023, State of Cloud Permissions Risk Report).
The estimated cost of cybercrime by Statista |IMF |FBI 2018-2027
The bottom line is that "threat actors often exploit these new technologies" to manipulate vulnerable system resources.
the goal is to reduce risk/IMPACT to an acceptable level
The Paradigm Shift from Legacy systems to newer IoT, OT, and ICS information systems will demand a rethink in enterprise and industrial Information security architecture, and implementation so as to enable an efficient interoperable, secured operational capability of preventing hostile disruptive agents, while prioritizing information assurance, centered on implementing Data risks security controls such as stronger ISC2's Confidentiality, Integrity, Availability, Nonrepudiation, Authentication, Privacy and Security (CIANIA+PS) control mechanism, through encryption(TLS), Access control(identification, authentication), data loss prevention (DLP), Data backup i.e failover clustering, hot site, Incident Response Plan (IRP), Data recovery systems, cyber insurance, and other data security control techniques.
CYBER RISK = PROBABILTY(cyber threat + vulnerability) X iMPACT(value/critically)
Information security management systems(ISMS) must be built on cybersecurity core fundamentals of Confidentiality Integrity and Availability while prioritizing information security (Nist 800-30), Network protection(DMZ, EDR, NIDS, Honeypot), System security, Identity security management, Third-party risk management(TPRM), as well as regulating Access control management.
Organizations Must strategically adopt the triple AAA (Authentication, Authorization, and Auditing) approach to fixing data insecurities.
Information is Data!
Almost every information in your company has a digital copy!
Digitalization of information: All Roads Lead to Data
Datafication has influenced the perception of Data as a Commodity of value essential for business operations thus giving rise to vertical commercial agents of Data such as Data Brokers, Chief Data Officers, Digital Data officers, Data Engineers & analysts, Data Miners/Collectors, Data Investors, Data controllers, Data Producers/consumers, and other Big Data Stakeholders.
Data on track to reach 181 Zettabytes(zb) by 2025 - Asterisks, Arne Host(The Age of Prediction by Igor & Mason)
The over-reliance on data and information for an effective workflow is core to business continuity as data is a critical function of service operations in the digital new digital economy industry 4.0, hence it is impossible to achieve privacy without data security.
Among the most prevalent SaaS security incidents reported were data leakage 58% - (The Annual SaaS Security Survey Report 2024 Plans and Priorities by Cloud Security Alliance and Adaptive Shield).
Image Source (The Annual SaaS Security Survey Report 2024 Plans and Priorities by Cloud Security Alliance and Adaptive Shield).
Critical Question: Who wants my data? and Why?
BIG DATA = MARKET VALUE + INTELLIGENCE EXTRACTS
Gaining consumer trust by keeping the proper policy in accordance with data regulations and privacy laws is critical to business enterprise ROI and integrity.
FBI FLASH 23 Aug 2023 detected PRC Cyber Actors utilizing Global Exploit Barracuda ESG Zero-Day Vulnerability to insert malicious payloads onto Email Security Gateway Appliance (ESG) -its capabilities include enabled persistent access, email scanning, credential harvesting, and data exfiltration.
British Airways canceled 1,500 flights due to cyber-attack disruption of national air traffic services files unintentionally deleted from the Notice to Air Missions (NOTAM) IT system, which is used to send information to pilots ahead of flights. (Fri 26 May) 2023.
These days access to most web applications or web services requires users to input personal information like their phone number, date/place of birth, address, email, credit card information, race, religion, weight, biometrics, social security number (SSN), passport number, driver‘s license number, Health information, National Identification Number (NIN), etc.. which sometimes raises privacy concerns.
Privacy of information concerns both individuals whose personal information is at stake and for organizations! (Nist 800-122).
NIST Privacy Framework V1.0 Relationship Between Privacy Risk and Organizational Risk
For organizations Identifying data classes such as Top Secret, Secret, Confidential, and Unclassified can help map the data risk likelihood with respect to threats severity, and associated vulnerabilities using (NIST 800-60 Mapping Types of Information and Information Systems to Security Categories security) or OSINT such as(cve's/nvd's, owasps10, mitre framework, Showdan, maltego, etc) thus enabling the adequate implementation of quantitative or qualitative security assessment, while hardening security posture by utilizing (DSPM) Data Security posture Management Technology and privacy breach management for overall Data ecosystem security consisting of (application, database, file and folders, virtual storage physical storage, network layer), while mapping and establishing enterprise privacy risk management for data infrastructure with framework such as (NIST 800-39 Managing Information Security Risk), Information security, cybersecurity and privacy protection — Information security controls ISO/IEC 27002:2022 COBIT by ISACA, NIST RMF 80-37 etc.
Amongst financially motivated crime, 82% of incidents involved the deployment of ransomware or malicious scripts for T1486 – Data Encrypted for Impact (T1486 is a signature ATT&CK technique for ransomware attacks). (Global Threat Landscape Report Report by FortiGuard Labs Feb 2023)
Today, over 80% of all ransomware attacks involve “double extortion,” data, and credential exfiltration. ( Ransomware Hostage Rescue 2023 Manual by KnowB4)
Security of information includes data at Rest, IN-USE(Data used in RAM), and data in Transit(network layer) which may include Personal Identifiable Information(PII), Protected Health Information(PHI), intellectual properties (IP), Customer confidential information(CCI), non-public information (NPI), personal data, credentials, Social insurance Numbers, and other sensitive data.
Navigating Privacy Compliance and Standards
Organizations are responsible for protecting the confidentiality and privacy of clients' data. Many laws mandate the protection of both PII(Personal identifiable information) and PHI(personal health information).
External Compliance requires organizations to follow cyber safety laws, regulations, and standards (ISACA ISO 27001:2022 Germany Chapter).
There are crucial legal implications associated with privacy laws;
PepsiCo Inc. Faces class-action Lawsuit over Employee Voiceprints Claiming voice data broke Illinois’ biometric privacy law BIPA.(Bloomberg law Jul 2023)
Meta Facebook's fined €1.2bn for breaching GDPR could have a big impact on EU-US data transfers. (Techmonitor May 2023)
Equifax's lawsuit settlement includes $425 million to help people affected by the data breach until Jan 22, 2024. (Federal Trade Commission US)
PayPal sued for negligence in a data breach that affected 35,000 users.
Regulations, Compliance, and Standards not only complement organizations' Privacy, data protection, and information security strategies. It also helps protect human life and prevents discrimination.
One of the limiting factors to compliance and standards is geolocation disparity across various jurisdictions of interest (state laws, federal laws).
Bloomberg Law Review of Ban Announcement and bill
Publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach. (Harvard Business Review - The Devastating Business Impact Of a Cyber Breach May 04, 2023, Keman Huang, Xiaoqing, et al)
Information security and data privacy IT Investment is largely impacted by the allocation of Operating Expenditures (OpEx) and Capital Expenditures (CapEx).
Observable Data Privacy Events in History
Privacy is defined as The right that determines the nonintervention of secret surveillance and the protection of an individual's information. (Black's Law Dictionary)
Attackers are constantly probing for vital information. critical data-centric assets and infrastructures such as applications, data centers, file servers, Backup Systems, Virtual machines, Saas, etc. for vital information.
Footprinting and Recon
Integrating privacy-enhancing technologies (PETs) into organization processing can help you implement data protection effectively. (ico June 23)
IC3 received a total of 3.26 million complaints, An aggregate data for complaints and losses over the years from 2018 to 2022. reporting a loss of $27.6 billion.
Zoom: Over 2,300 usernames and passwords user Zoom accounts database containing Zoom credentials leaked by cybercriminals. (ITworldcanada 2023)
Pwc: In May 2023 PWC suffered MOVEit cyberattack, its database was breached, 379 organizations and a total of 19 million individuals were affected. (ITwire 2023)
Solarwind: SolarWinds hack named 'largest and most sophisticated according to Thomson Reuters media, The breach affected over 18,000 SolarWinds customers.
Sick Kids: Hospital for Sick Children in Toronto Hit by LockBit Ransomware Attack in Dec 2022. No ransom was paid and 100% of its systems have been restored.
Kroll: FTX bankruptcy claims, that Kroll Data Breach has resulted in the leak of sensitive information affecting millions of people across 56 countries and regions resulting in the theft of $6.3 million in cryptocurrencies. (Aug 2023)
St. Margaret's Hospital: Illinois goes bankrupt following Ransomware attack, links closing to cyber incident. (NBC News, June 12, 2023).
Johnson Controls Breach Sept. 2023: Cybercriminals exfiltrated 27TB of sensitive data from Johnson Controls and requested a $51 million ransom; Johnson Controls also holds documents depicting “the physical security of many Department Homeland Security facilities-(Securityweek. com)
Indeed, the rise of geopolitics has given rise to incidents such as Spying Balloon, Solarwind breach, Accenture lockbit breach, LOG4J, US DoDefense which led to the government Microsoft Azure email server’s exposure, PharMerica data breach, and the most recent NATO’s Communities of Interest Cooperation Portal breach 2023 amongst other major breaches.
Targeted intrusion adversaries will continue to predominantly present data theft threats to multiple sectors and geographies in 2023 (CrowdStrike Intelligence 2023 GLOBAL THREAT REPORT).
Top 5 Data Types of Attacks
Data Leakage
Ransomware
Data Breach
Data manipulation(e.g. SQL injection)
Credential theft
Data and Information Security Checklist Options;
Take A. I safety seriously
Treat data as an Asset
Cyber insurance
Follow GDPR laws
integrate data sanitization
Privacy by Design/Default
Security and Data Privacy Awareness Training
Stay Updated (Patch management /data management policy!)
Use Automation solutions to your advantage(SIEM,SOAR,EDR, ML)
Access control management
Review network logs for signs of data exfiltration and lateral movement
The average cost of a data breach in 2023 Published by Ani Petrosyan on Statista
industrial sector worldwide was $4.73 million USD
financial sector ranked second, with $5.9 million USD
Healthcare sector data breach $11 million USD March 2022 - March 2023.
As of 2023, the average cost of a data breach in France was $4.08 million USD, the Middle East was $8.07 million USD, Canada $5.13 million USD, United States $9.48 million USD.
The Digitalized Future of Data-reliant Business vs Data Trusted Structure Oversight
Major Actors in Civic Data Trust includes; trustor (collect urban data) , trustee(Fiduciary), beneficiaries(smart city residents and visitors), Smart City(embedded with sensors)-(in the public eye privacy, personal information by Shaun E.Finn)
UK GIVES DEADLINE 2030 for the government’s critical functions to be significantly hardened.
UK's Data Protection Body Seeks Feedback on Biometric Data Rules(CAIDP Update 5.32 - AI Policy News (Aug. 28, 2023)
Japan's Privacy Commission Sounds Alarm on AI's Data Risks -CAIDP Update 5.32 - AI Policy News (Aug. 28, 2023)
May 30, 2023, Cyberspace Administration of China -Set specific requirements for the Filling of standard contract of cross-border transfer of Personal information
Saudi Data and Ai Authority Personal Data Protection Law, Royal Decree No. (M/148) Amended on 27/03/23 G, Article 2 - Applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data...
Canada Privacy Commissioner Philippe Dufresne on May 2023 Submitted Bill C-27 to The House, the Digital Charter Implementation Act privacy law reform with #15 Recommendations. #1: Recognize privacy as a fundamental right. Recommendation #2: Protect children’s privacy and the best interests of the child.
“Privacy law reform is overdue and must be achieved,” said Privacy Commissioner of Canada Philippe Dufresne.
To implement Safeguards within the data management category, a policy must first be put in place surrounding the data management process. (The cost of Cyber Defense 2023 by CIS V8)
Open Source Intelligence(OSINT), Artificial Intelligence, Data Analytics, and Quantum Computing are dynamically changing the information management systems threat security landscape.
Data Privacy Acts and Information Security Regulatory Bodies Across Sectors
The Personal Information Protection and Electronic Documents Act (PIPEDA)
Health- Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Gramm-Leach-Bliley Act (GLBA) Financials.
Confidential Information Protection and Statistical Efficiency Act (CIPSEA)
Organization for Economic Co-operation and Development (OECD)
The NIS 2 Directive(Network and Information Security)
The European Cyber Resilience Act
The Digital Operational Resilience Act (DORA)
The Critical Entities Resilience Directive (CER)
The Digital Services Act (DSA)
The Digital Markets Act (DMA)
The European Health Data Space (EHDS)
The European Chips Act
The European Data Act
The European Data Governance Act (DGA)
The Artificial Intelligence Act
The European ePrivacy Regulation
The European Digital Identity Regulation
The European Cyber Defence Policy
The Strategic Compass of the European Union
The EU Cyber Solidarity Act
The EU Cyber Diplomacy Toolbox
The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)
PARLIAMENT OF CANADA BILL C-26 - An Act respecting cyber security, amending the Telecommunications Act. with focus on Part 2 – Enactment of the Critical Cyber Systems Protection Act and Non-disclosure of Orders (section 2(b) of the Charter).
Conclusion
The Global average cost of a data breach in 2023 was 4.45M USD, This represents a 15.3% increase from the 2020 cost of 3.86M USD according to IBM (SANS Cyber Defense Newsletter, 6th Oct 2023).
Unarguably, some level of online anonymity and implementation of actionable multi-layered Security which includes (preventive(IPS), detective(IDS), and corrective security controls) and access controls(ZTNA, IAM, MFA,) are required to keep people and businesses safe in the new digital threat erosion.
Gartner predicts that by 2025, 75% of the world’s population will have its personal data covered by modern privacy regulations.
Regulations such as HIPPA also prevent discrimination thus Stronger privacy laws will build a better society. Furthermore, Privacy Commissioners, human rights adjudicators, courts, ISO, and other regulatory institutions are constantly tasked with developing, redefining, establishing, and implementing privacy laws, standards, and data protection legislation and guidelines across vertical sectors to keep organizations critical data safe and individuals' personal identifiable information (PII), Personal health information and other sensitive information confidential.
Top Information Security and Data Protection Frameworks
INFORMATION SECUIRTY:- ISO/IEC 27001:2023, NIST sp-800-53, ICO, ANSSI
Data Protection/Privacy- ISO/IEC27701:2019, EU-GDPR, ISACA-COBIT
IoT Security and Privacy- ISO27400,CAF 3.1, ANSSI-CIIP,ISO317001
RISK Management-NIST RMF, NCSC RISK GUIDE V1.0, BSI 200-3, ISF-IRAM2
Other regulators and frameworks include; HITECH(ePHI), Epcs, PCI-DSS, GDPR, CONSUMER PROTECTION, NERC, FISMA, CIS, SINIA, CCPA, GLBA Banking, SOX/J-SOX, FEDRAMP, HSEEP, FDA, IEEE, JRSS, OWASP, COBIT, Gartner, NCSC, ACSC, etc.
Beware! of Privacy for sale in exchange for security schemes - Always Read Terms and conditions before accepting cookies.
Infrastructure and Industrialization: Securing UN SDG-9 on Digital Innovation Infrastructure Advisory and Recommendation
Maintaining functionality and availability during adverse conditions ensures trustworthy, resilient digital infrastructure proposed by international Telecommunication ITU's GSR-23 and the UN's #SDGs on digital innovation infrastructure projects are met, Securely storing and sharing information requires a proactive defense-in-depth strategy while meeting information risk security management standards, and compliance will foster the International Telecommunication Union's 2024/2027 mission on the strategic plan for universal connectivity and Sustainable Digital Transformation.