Addressing cyber risk remains a challenge for organizations - (Cybersecurity outlook report WEF 2023).
The New Service-driven economy has influenced the migration to the internet’s dependent cloud-dominant business model that involves data distribution as information; Data exchange, processing of information as Services, and Digital data storage, which has given rise to a remote-hybrid workforce, attracting disruption watchdogs, financially motivated threat actors, and Advance persistent threat agents influenced by state actors across geo-political landscape. Hence the manipulation and exploitation of soft systems with superior technologies such as Artificial intelligence, Quantum Technology, Blockchain, and other open-source intelligence techniques, persists.
Loss of Privacy, Rise of Digital Surveillance, and Authoritarianism were identified as the 3rd Emerging Future Threats (ENISA Foresight Cybersecurity Threats for 2030).
At an average of $804,997 per incident, credential theft is the costliest to remediate (Cost of Insider Threats Global Report. 2022).
"It is becoming increasingly difficult for organizations to know who has access to what data across and across which cloud platforms." - (Microsoft Security 2023, State of Cloud Permissions Risk Report ).
The estimated cost of cybercrime by Statista |IMF |FBI 2018-2027
The bottom line is that "threat actors often exploit these new technologies" to manipulate vulnerable system resources.
The goal is to reduce risk/IMPACT to an acceptable level
The Paradigm Shift from Legacy systems to newer IoT, OT, and ICS information systems will demand a rethink in enterprise and industrial Information security architecture, and implementation so as to enable an efficient interoperable, secured operational capability of preventing hostile disruptive agents, while prioritizing information assurance, centered on implementing Data risks security controls such as stronger ISC2's Confidentiality, Integrity, Availability, Nonrepudiation, Authentication, Privacy and Security (CIANIA+PS) control mechanism, through encryption(TLS), Access control(identification, authentication), data loss prevention (DLP), Data backup i.e failover clustering, hot site, Incident Response Plan (IRP), Data recovery systems, cyber insurance, and other data security control techniques.
CYBER RISK = PROBABILTY(cyber threat + vulnerability) X iMPACT(value/critically)
Healthcare remains a top target for online criminal groups- The average cost of a healthcare data breach was the highest among all industries at $10.93 million. (IBM Security Report Cost of Data Breach 2023).
Information security management systems must be built on cybersecurity core fundamentals of Confidentiality Integrity and Availability while prioritizing information security (Nist 800-30), Network protection(DMZ, EDR, NIDS, Honeypot), System security, Identity security management, Third-party risk management(TPRM), as well as regulating Access control management.
Organizations Must strategically adopt the triple AAA (Authentication, Authorization, and Auditing) approach to fixing data insecurities.
Information is Data!
Datafication has influenced the perception of Data as a Commodity of value essential for business operations thus giving rise to vertical commercial agents of Data such as Data Brokers, Chief Data Officers, Digital Data officers, Data Engineers & analysts, Data Miners/Collectors, Data Investors, Data controllers, Data Producers/consumers, and other Big Data Stakeholders.
The over-reliance on data and information for an effective workflow is core to business continuity as data is a critical function of service operations in the digital new digital economy industry 4.0, hence it is impossible to achieve privacy without data security.
Among the most prevalent SaaS security incidents reported were data leakage 58% - (The Annual SaaS Security Survey Report 2024 Plans and Priorities by Cloud Security Alliance and Adaptive Shield)
Image Source (The Annual SaaS Security Survey Report 2024 Plans and Priorities by Cloud Security Alliance and Adaptive Shield)
Critical Question: Who wants my data? and Why?
Gaining consumer trust by keeping the proper policy in accordance with data regulations and privacy laws is critical to business enterprise ROI and integrity.
FBI FLASH 23 Aug 2023 detected PRC Cyber Actors utilizing Global Exploit Barracuda ESG Zero-Day Vulnerability to insert malicious payloads onto Email Security Gateway Appliance (ESG) -its capabilities include enabled persistent access, email scanning, credential harvesting, and data exfiltration.
British Airways canceled 1,500 flights due to a cyber-attack disruption of national air traffic services files unintentionally deleted from the Notice to Air Missions (NOTAM) IT system, which is used to send information to pilots ahead of flights.
These days access to most web applications or web services requires users to input personal information like their phone number, date/place of birth, address, email, credit card information, race, religion, weight, biometrics, social security number (SSN), passport number, driver‘s license number, Health information, National Identification Number (NIN), etc.. which sometimes raises privacy concerns.
Privacy of information concerns both individuals whose personal information is at stake and organizations! (Nist 800-122)
Nist Privacy Framework v
For organizations Identifying data classes such as Top Secret, Secret, Confidential, and Unclassified can help map the data risk likelihood with respect to threats severity, and associated vulnerabilities using (NIST 800-60 Mapping Types of Information and Information Systems to Security Categories security) or OSINT such as(cve's/nvd's, owasps10, mitre framework, Showdan, maltego, etc) thus enabling the adequate implementation of quantitative or qualitative security assessment, while hardening security posture by utilizing (DSPM) Technology Data Security posture Management for overall Data ecosystem security consisting of (application, database, file and folders, virtual storage physical storage, network layer), while mapping and establishing enterprise privacy risk Management for data infrastructure with framework such as (NIST 800-39) Managing Information Security Risk, COBIT by ISACA, NIST RMF 80-37 ..etc.
Amongst financially motivated crime, 82% of incidents involved the deployment of ransomware or malicious scripts for T1486 – Data Encrypted for Impact (T1486 is a signature ATT&CK technique for ransomware attacks). (Global Threat Landscape Report Report by FortiGuard Labs Feb 2023)
Today, over 80% of all ransomware attacks involve “double extortion,” data, and credential exfiltration. ( Ransomware Hostage Rescue 2023 Manual by KnowB4).
Security of information includes data at Rest, IN-USE(Data used in RAM), and data in Transit(network layer) which may include Personal Identifiable Information(PII), Protected Health Information(PHI), intellectual properties (IP), Customer confidential information(CCI), non-public information (NPI), personal data, credentials, Social insurance Numbers, and other sensitive data.