A deceivingly simple question but my belief is most businesses cannot answer this with any high degree of confidence, hence why so many breaches of personal data from businesses. The ability to answer this question is critical, as globally regulations are rolling out which require businesses to secure their personal information or face hefty fines, and Australian companies are in no way immune to this.
The pace at which personal data breaches occur is worrying, and the trend appears to be going up. Based on my research, in a recent eight-week period there have been publicly reported over 240 million records of personal information illegally taken or accessed from businesses globally – that is over 47 records per second. Looking at it another way, more than the population of Australia is breached per week globally. Also remember, this is just what's reported, so the actual rate is undoubtedly far higher. One could safely say the cybercriminals have never had it so good!
So why do cybercriminals like going after personal information so much? Especially when businesses contain so much other data, such as invoices, emails, documents, contracts, blueprints, etc. The answer is twofold. First off, like any undertaking, they must produce a profit for the effort and time taken – like everyone else they have bills to pay and mouths to feed. Long gone are the days of hacking for pure fun, now it’s a global multi-billion dollar ‘business’, complete with underground markets, middlemen and resellers. Secondly, given such a structured market, they want to get hold of information which they can most easily turn into a profit with the least risk and effort. What information fits this bill almost perfectly? You guessed it: personal information.
With someone’s full identity (which is worth up to $1000 each on the black market) they can commit a variety of illegal actions; the least of which is illegal marketing & social engineering (how did this caller trying to scam me know my name and what I do?) up to selling out the persons assets from under them, extortion and money laundering. Now it's not that the other information isn’t of interest to a cybercriminal (especially APT’s), but it requires more work and risk for them to convert into a useful return; why make your life more difficult?
There is also the fact, given the amount of breaching going on, that cybercriminals can pool what they discover and progressively complete a detailed personal profile of an individual over time – which when complete can be highly valuable indeed. So, a business many think they have personal information of low value on its own, but it could be the missing piece to taking over someone’s identity.
Let’s get back to the business side of this analysis, how much do they typically value personal information? Usually, they see names, addresses, telephone numbers, account numbers etc. but on their own, they only really become worth something to the business when combined with a product or service. Enterprises trade from selling things, so naturally, the value gets seen through the lens of what they can do with such information – so typically personal information gets assigned a low value (unless you’re in the business of selling on such information). Yes, they know it relates to people, but they have become so used to sharing their personal information with whoever wants it that it then colours their view of the value of others personal information.
The net result of this is, on the one hand, we have a business who doesn’t place the right value on personal information and, on the other, we have a cybercriminal who could get up to $1000 per record for said personal information. This situation is especially worrying when one considers that traditional risk management has as an input the value of the asset in determining the effort to protect it. So, without any other inputs, we have personal information considered as a ‘low value’ asset, so it gets an appropriate set of security controls around it (i.e. minimal). The net effect of this can be an asset that has high value to a cybercriminal getting minimal security controls put around it.
Now, most risk management and analysis techniques try to deal with this by trying to calculate the actual cost of a breach against an asset by including brand damage – but again if the business has no experience with what triggers such brand damage its likely they will undervalue. We all know of several companies that through a simple mistake have caused a sizable personal information breach, and their brand has taken a nose dive as a result, and they were large enough to have sophisticated risk management and analysis frameworks in place – so logically the breach shouldn’t have happened, yet it did.
There is also the problem that businesses are responding to the wave of new privacy regulations (privacy & mandatory notification in Australia, EU GDPR, US state and federal regs, etc.) by trying to do a ‘quick fix’. Trouble is this creates three problems: often the fix is not fully integrated into the security monitoring apparatus in the business; secondly the understanding of the coverage of the fix is not perfect, so unknown ‘gaps’ get left in the security surface; and thirdly the original problematic security flaws are often ‘preserved’ to be later discovered by the cybercriminal. Such an approach to security was shown wanting by a recent report (Yu, 2018) that found 52% of Asia-Pacific companies with more than 50 different security products experienced a higher rate of incidents. Combine this with small businesses and start-ups who delay putting in the right security controls and its simple to see why so much personal information is stolen second by second.
Another factor to consider is that most businesses are only too happy to make use of cloud-based services (be they IaaS or SaaS) with little in-depth understanding of what the risks are in play. Does your cloud service provider have a proper separation of concerns between businesses on different SLA’s? Do they comply fully with your local market privacy regulations and if they say they do, how do you prove it in on an ongoing basis? How can you effectively and securely second source the cloud provider? Remember if using cloud service providers, your security surface extends around them and depending on their degree of integration into other service providers (and not forgetting other customers), your security surface at the limit could extend around all of them and the cybercriminals know this.
What is the fix? A way out is explained in my new book ‘Personal Information Security & Systems Architecture’ (available on Amazon, Booktopia or from myself directly). The book details a technique to value personal information from the perspective of a cybercriminal; thereby feeding into your risk management process a direct measure of cybercriminal ‘desirability’ for such data.
The measure directly relates to the degree of effort a cybercriminal (or an insider) will take to get their hands on such data. The book then goes onto to explain how to perform in-depth personal information discovery in your business and what you need to do to suitably secure it and what technically needs to be done to comply with global privacy regulations as a result. Also detailed are some common ‘anti-patterns’ of personal data usage and how to fix them. Also explained are fundamental security architecture and development techniques for protecting personal data both for businesses and SaaS providers, told from first principals; as well as advanced techniques to put off the cybercriminal.
The book can be read equally by the CTO, CSO, architects and software engineers. It has been designed to be used as a handbook and has plenty of references and explanations.