Toronto Chapter

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

The True Cost of Privacy (Information and Data Security Deep-Insight Q4-2023) for Cyber C-Suite, Tech Leaders & Execs. #CybersecurityAwarenessMonth.

  • 1.  The True Cost of Privacy (Information and Data Security Deep-Insight Q4-2023) for Cyber C-Suite, Tech Leaders & Execs. #CybersecurityAwarenessMonth.

    Posted Oct 23, 2023 12:55:00 PM

    The True Cost of Privacy (Information and Data Security Deep-Insight Q4-2023) for Cyber C-Suite, Tech Leaders & Execs. #CybersecurityAwarenessMonth.

    Addressing cyber risk remains a challenge for organizations - (Cybersecurity outlook report WEF 2023).

    The New Service-driven economy has influenced the migration to the internet's dependent cloud-dominant business model that involves data distribution as information; Data exchange, processing of information as Services, and Digital data storage, which has given rise to a remote-hybrid workforce, attracting disruption watchdogs, financially motivated threat actors, and Advance persistent threat agents influenced by state actors across geo-political landscape. Hence the manipulation and exploitation of soft systems with superior technologies such as Artificial intelligence, Quantum Technology, Blockchain, and other open-source intelligence techniques, persists.

    Loss of Privacy, Rise of Digital Surveillance, and Authoritarianism were identified as the 3rd Emerging Future Threats (ENISA Foresight Cybersecurity Threats for 2030).

    At an average of $804,997 per incident, credential theft is the costliest to remediate (Cost of Insider Threats Global Report. 2022).

    "It is becoming increasingly difficult for organizations to know who has access to what data across and across which cloud platforms." - (Microsoft Security 2023, State of Cloud Permissions Risk Report).

    The bottom line is that "threat actors often exploit these new technologies" to manipulate vulnerable system resources.

    the goal is to reduce risk/IMPACT to an acceptable level

    The Paradigm Shift from Legacy systems to newer IoT, OT, and ICS information systems will demand a rethink in enterprise and industrial Information security architecture, and implementation so as to enable an efficient interoperable, secured operational capability of preventing hostile disruptive agents, while prioritizing information assurance, centered on implementing Data risks security controls such as stronger ISC2's Confidentiality, Integrity, Availability, Nonrepudiation, Authentication, Privacy and Security (CIANIA+PS) control mechanism, through encryption(TLS), Access control(identification, authentication), data loss prevention (DLP), Data backup i.e failover clustering, hot site, Incident Response Plan (IRP), Data recovery systems, cyber insurance, and other data security control techniques.

    CYBER RISK = PROBABILTY(cyber threat + vulnerability) X iMPACT(value/critically)

    Information security management systems(ISMS) must be built on cybersecurity core fundamentals of Confidentiality Integrity and Availability while prioritizing information security (Nist 800-30), Network protection(DMZ, EDR, NIDS, Honeypot), System security, Identity security management, Third-party risk management(TPRM), as well as regulating Access control management.

    Organizations Must strategically adopt the triple AAA (Authentication, Authorization, and Auditing) approach to fixing data insecurities.

    Information is Data!

    Almost every information in your company has a digital copy!
    Digitalization of information: All Roads Lead to Data

    Datafication has influenced the perception of Data as a Commodity of value essential for business operations thus giving rise to vertical commercial agents of Data such as Data Brokers, Chief Data Officers, Digital Data officers, Data Engineers & analysts, Data Miners/Collectors, Data Investors, Data controllers, Data Producers/consumers, and other Big Data Stakeholders.

    Data on track to reach 181 Zettabytes(zb) by 2025 - Asterisks, Arne Host(The Age of Prediction by Igor & Mason)

    The over-reliance on data and information for an effective workflow is core to business continuity as data is a critical function of service operations in the digital new digital economy industry 4.0, hence it is impossible to achieve privacy without data security.

    Among the most prevalent SaaS security incidents reported were data leakage 58% - (The Annual SaaS Security Survey Report 2024 Plans and Priorities by Cloud Security Alliance and Adaptive Shield).

    Image Source (The Annual SaaS Security Survey Report 2024 Plans and Priorities by Cloud Security Alliance and Adaptive Shield).

    Critical Question: Who wants my data? and Why?

    BIG DATA = MARKET VALUE + INTELLIGENCE EXTRACTS

    Gaining consumer trust by keeping the proper policy in accordance with data regulations and privacy laws is critical to business enterprise ROI and integrity.

    FBI FLASH 23 Aug 2023 detected PRC Cyber Actors utilizing Global Exploit Barracuda ESG Zero-Day Vulnerability to insert malicious payloads onto Email Security Gateway Appliance (ESG) -its capabilities include enabled persistent access, email scanning, credential harvesting, and data exfiltration.

    British Airways canceled 1,500 flights due to cyber-attack disruption of national air traffic services files unintentionally deleted from the Notice to Air Missions (NOTAM) IT system, which is used to send information to pilots ahead of flights. (Fri 26 May) 2023.

    These days access to most web applications or web services requires users to input personal information like their phone number, date/place of birth, address, email, credit card information, race, religion, weight, biometrics, social security number (SSN), passport number, driver's license number, Health information, National Identification Number (NIN), etc.. which sometimes raises privacy concerns.

    Privacy of information concerns both individuals whose personal information is at stake and for organizations! (Nist 800-122).
    NIST Privacy Framework V1.0 Relationship Between Privacy Risk and Organizational Risk

    For organizations Identifying data classes such as Top Secret, Secret, Confidential, and Unclassified can help map the data risk likelihood with respect to threats severity, and associated vulnerabilities using (NIST 800-60 Mapping Types of Information and Information Systems to Security Categories security) or OSINT such as(cve's/nvd's, owasps10, mitre framework, Showdan, maltego, etc) thus enabling the adequate implementation of quantitative or qualitative security assessment, while hardening security posture by utilizing (DSPM) Data Security posture Management Technology and privacy breach management for overall Data ecosystem security consisting of (application, database, file and folders, virtual storage physical storage, network layer), while mapping and establishing enterprise privacy risk management for data infrastructure with framework such as (NIST 800-39 Managing Information Security Risk), Information security, cybersecurity and privacy protection - Information security controls ISO/IEC 27002:2022 COBIT by ISACA, NIST RMF 80-37 etc.

    Amongst financially motivated crime, 82% of incidents involved the deployment of ransomware or malicious scripts for T1486 – Data Encrypted for Impact (T1486 is a signature ATT&CK technique for ransomware attacks). (Global Threat Landscape Report Report by FortiGuard Labs Feb 2023)

    Today, over 80% of all ransomware attacks involve "double extortion," data, and credential exfiltration. ( Ransomware Hostage Rescue 2023 Manual by KnowB4)

    Security of information includes data at Rest, IN-USE(Data used in RAM), and data in Transit(network layer) which may include Personal Identifiable Information(PII), Protected Health Information(PHI), intellectual properties (IP), Customer confidential information(CCI), non-public information (NPI), personal data, credentials, Social insurance Numbers, and other sensitive data.

    Navigating Privacy Compliance and Standards

    Organizations are responsible for protecting the confidentiality and privacy of clients' data. Many laws mandate the protection of both PII(Personal identifiable information) and PHI(personal health information).

    External Compliance requires organizations to follow cyber safety laws, regulations, and standards (ISACA ISO 27001:2022 Germany Chapter).

    There are crucial legal implications associated with privacy laws;

    • PepsiCo Inc. Faces class-action Lawsuit over Employee Voiceprints Claiming voice data broke Illinois' biometric privacy law BIPA.(Bloomberg law Jul 2023) 
    • Meta Facebook's fined €1.2bn for breaching GDPR could have a big impact on EU-US data transfers. (Techmonitor May 2023) 
    • Equifax's lawsuit settlement includes $425 million to help people affected by the data breach until Jan 22, 2024. (Federal Trade Commission US) 
    • PayPal sued for negligence in a data breach that affected 35,000 users. 

    Regulations, Compliance, and Standards not only complement organizations' Privacy, data protection, and information security strategies. It also helps protect human life and prevents discrimination. 

    One of the limiting factors to compliance and standards is geolocation disparity across various jurisdictions of interest (state laws, federal laws).

    Bloomberg Law Review of Ban Announcement and bill

    Publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach. (Harvard Business Review - The Devastating Business Impact Of a Cyber Breach May 04, 2023, Keman Huang, Xiaoqing, et al)

    Information security and data privacy IT Investment is largely impacted by the allocation of Operating Expenditures (OpEx) and Capital Expenditures (CapEx).

    Observable Data Privacy Events in History

    Privacy is defined as The right that determines the nonintervention of secret surveillance and the protection of an individual's information. (Black's Law Dictionary)

    Attackers are constantly probing for vital information. critical data-centric assets and infrastructures such as applications, data centers, file servers, Backup Systems, Virtual machines, Saas, etc. for vital information. (nmap Footprinting and Recon easily reveal sensitive network information )

    Footprinting and Recon

    Integrating privacy-enhancing technologies (PETs) into organization processing can help you implement data protection effectively. (ico June 23)

    IC3 received a total of 3.26 million complaints, An aggregate data for complaints and losses over the years from 2018 to 2022. reporting a loss of $27.6 billion.

    Zoom: Over 2,300 usernames and passwords user Zoom accounts database containing Zoom credentials leaked by cybercriminals. (ITworldcanada 2023)

    Pwc: In May 2023 PWC suffered MOVEit cyberattack, its database was breached, 379 organizations and a total of 19 million individuals were affected. (ITwire 2023)

    Solarwind: SolarWinds hack named 'largest and most sophisticated according to Thomson Reuters media, The breach affected over 18,000 SolarWinds customers.

    Sick Kids: Hospital for Sick Children in Toronto Hit by LockBit Ransomware Attack in Dec 2022. No ransom was paid and 100% of its systems have been restored.

    Kroll: FTX bankruptcy claims, that Kroll Data Breach has resulted in the leak of sensitive information affecting millions of people across 56 countries and regions resulting in the theft of $6.3 million in cryptocurrencies. (Aug 2023) 

    St. Margaret's Hospital: Illinois goes bankrupt following Ransomware attack, links closing to cyber incident. (NBC News, June 12, 2023).

    Johnson Controls Breach Sept. 2023: Cybercriminals exfiltrated 27TB of sensitive data from Johnson Controls and requested a $51 million ransom; Johnson Controls also holds documents depicting "the physical security of many Department Homeland Security facilities-(Securityweek. com)

    Indeed, the rise of geopolitics has given rise to incidents such as Spying Balloon, Solarwind breach, Accenture lockbit breach, LOG4J, US DoDefense which led to the government Microsoft Azure email server's exposure, PharMerica data breach, and the most recent NATO's Communities of Interest Cooperation Portal breach 2023 amongst other major breaches.  

    Targeted intrusion adversaries will continue to predominantly present data theft threats to multiple sectors and geographies in 2023 (CrowdStrike Intelligence 2023 GLOBAL THREAT REPORT).

    Top 5 Data Types of Attacks

    • Data Leakage 
    • Ransomware 
    • Data Breach 
    • Data manipulation(e.g. SQL injection)  
    • Credential theft 

    Data and Information Security Checklist Options; 

    • Take A. I safety seriously 

    • Treat data as an Asset 
    • Cyber insurance 
    • Follow GDPR laws 
    • integrate data sanitization 
    • Privacy by Design/Default 

    • Security and Data Privacy Awareness Training 
    • Stay Updated (Patch management /data management policy!) 
    • Use Automation solutions to your advantage(SIEM,SOAR,EDR, ML) 
    • Access control management  
    • Review network logs for signs of data exfiltration and lateral movement

    The average cost of a data breach in 2023 Published by Ani Petrosyan on Statista

    • industrial sector worldwide was $4.73 million USD
    • financial sector ranked second, with $5.9 million USD
    • Healthcare sector data breach $11 million USD March 2022 - March 2023.

    As of 2023, the average cost of a data breach in France was $4.08 million USD, the Middle East was $8.07 million USD, Canada $5.13 million USD, United States $9.48 million USD.

    The Digitalized Future of Data-reliant Business vs Data Trusted Structure Oversight

    Major Actors in Civic Data Trust includes; trustor (collect urban data) , trustee(Fiduciary), beneficiaries(smart city residents and visitors), Smart City(embedded with sensors)-(in the public eye privacy, personal information by Shaun E.Finn)

    UK GIVES DEADLINE 2030 for the government's critical functions to be significantly hardened.

    UK's Data Protection Body Seeks Feedback on Biometric Data Rules(CAIDP Update 5.32 - AI Policy News (Aug. 28, 2023)

    Japan's Privacy Commission Sounds Alarm on AI's Data Risks -CAIDP Update 5.32 - AI Policy News (Aug. 28, 2023)

    May 30, 2023, Cyberspace Administration of China -Set specific requirements for the Filling of standard contract of cross-border transfer of Personal information

    Saudi Data and Ai Authority Personal Data Protection Law, Royal Decree No. (M/148) Amended on 27/03/23 G, Article 2 - Applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data...

    Canada Privacy Commissioner Philippe Dufresne on May 2023 Submitted Bill C-27 to The House, the Digital Charter Implementation Act privacy law reform with #15 Recommendations. #1: Recognize privacy as a fundamental right. Recommendation #2: Protect children's privacy and the best interests of the child. 

    "Privacy law reform is overdue and must be achieved," said Privacy Commissioner of Canada Philippe Dufresne.  

    To implement Safeguards within the data management category, a policy must first be put in place surrounding the data management process. (The cost of Cyber Defense 2023 by CIS V8) 

    Open Source Intelligence(OSINT), Artificial Intelligence, Data Analytics, and Quantum Computing are dynamically changing the information management systems threat security landscape. 

    Data Privacy Acts and Information Security Regulatory Bodies Across Sectors 

    • The Personal Information Protection and Electronic Documents Act (PIPEDA)
    • Health- Health Insurance Portability and Accountability Act of 1996 (HIPAA).
    • Gramm-Leach-Bliley Act (GLBA) Financials.
    • Confidential Information Protection and Statistical Efficiency Act (CIPSEA)
    • Organization for Economic Co-operation and Development (OECD)
    • The NIS 2 Directive(Network and Information Security)
    • The European Cyber Resilience Act
    • The Digital Operational Resilience Act (DORA)
    • The Critical Entities Resilience Directive (CER)
    • The Digital Services Act (DSA)
    • The Digital Markets Act (DMA)
    • The European Health Data Space (EHDS)
    • The European Chips Act
    • The European Data Act
    • The European Data Governance Act (DGA)
    • The Artificial Intelligence Act
    • The European ePrivacy Regulation
    • The European Digital Identity Regulation
    • The European Cyber Defence Policy
    • The Strategic Compass of the European Union
    • The EU Cyber Solidarity Act
    • The EU Cyber Diplomacy Toolbox
    • The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)

    PARLIAMENT OF CANADA BILL C-26 - An Act respecting cyber security, amending the Telecommunications Act. with focus on Part 2 – Enactment of the Critical Cyber Systems Protection Act and Non-disclosure of Orders (section 2(b) of the Charter).

    Conclusion

    The Global average cost of a data breach in 2023 was 4.45M USD, This represents a 15.3% increase from the 2020 cost of 3.86M USD according to IBM (SANS Cyber Defense Newsletter, 6th Oct 2023).

    Unarguably, some level of online anonymity and implementation of actionable multi-layered Security which includes (preventive(IPS), detective(IDS), and corrective security controls) and access controls(ZTNA, IAM, MFA,) are required to keep people and businesses safe in the new digital threat erosion.  

    Gartner predicts that by 2025, 75% of the world's population will have its personal data covered by modern privacy regulations.

    Regulations such as HIPPA also prevent discrimination thus Stronger privacy laws will build a better society. Furthermore, Privacy Commissioners, human rights adjudicators, courts, ISO, and other regulatory institutions are constantly tasked with developing, redefining, establishing, and implementing privacy laws, standards, and data protection legislation and guidelines across vertical sectors to keep organizations critical data safe and individuals' personal identifiable information (PII), Personal health information and other sensitive information confidential.

    Top Information Security and Data Protection Frameworks

    1. INFORMATION SECUIRTY:- ISO/IEC 27001:2023, NIST sp-800-53, ICO, ANSSI
    2. Data Protection/Privacy- ISO/IEC27701:2019, EU-GDPR, ISACA-COBIT
    3. IoT Security and Privacy- ISO27400,CAF 3.1, ANSSI-CIIP,ISO317001
    4. RISK Management-NIST RMF, NCSC RISK GUIDE V1.0, BSI 200-3, ISF-IRAM2

    Other regulators and frameworks include; HITECH(ePHI), Epcs, PCI-DSS, GDPR, CONSUMER PROTECTION, NERC, FISMA, CIS, SINIA, CCPA, GLBA Banking, SOX/J-SOX, FEDRAMP, HSEEP, FDA, IEEE, JRSS, OWASP, COBIT, Gartner, NCSC, ACSC, etc.

    Beware! of Privacy for sale in exchange for security schemes - Always Read Terms and conditions before accepting cookies.

    Infrastructure and Industrialization: Securing UN SDG-9 on Digital Innovation Infrastructure Advisory and Recommendation

    sdgs

    Maintaining functionality and availability during adverse conditions ensures trustworthy, resilient digital infrastructure proposed by international Telecommunication ITU's GSR-23 and the UN's #SDGs on digital innovation infrastructure projects are met, Securely storing and sharing information requires a proactive defense-in-depth strategy while meeting information risk security management standards, and compliance will foster the International Telecommunication Union's 2024/2027 mission on the strategic plan for universal connectivity and Sustainable Digital Transformation.

    Thanks for reading.

    Regards,

    Disclaimer: This article insight was generated and inspired by months of reading cyber publications and credibly Cybersecurity research sources such as NIST, CISA, WEF, DoD, SANs, CSA, GOA, ICO, CIS, IBM Security, EU-GDPR, ITU, IC3, ISC2 DHS, SANS, ISACA, ENISA, INFOSEC, CISA etc., and was written solely for educational purposes, without the use of Artificial intelligence.

    IMAGE SOURCE: The United Nations

    "Today the real test of power is not capacity to make war but capacity to prevent it." ― Anne O'Hare McCormick.

    we pray for peace and seek diplomacy for humanity!



    ------------------------------
    David Olugbenga
    Cybersecurity Analyst
    Cybersine
    ------------------------------