January 25, 2023
As we go through data privacy week I can’t help but think about how cyber risk quantification could help with data privacy.
Naturally, my first thought was I’m not sure there is a connection. Clearly, your susceptibility to a data breach has to affect your data privacy, but does it go beyond that? Let’s see.
A quick internet search reveals quite a few variations on the theme. The National Cybersecurity Alliance describes data (or Information) privacy as “a branch of data security involving properly handling the collection, storage, and dissemination – including to third parties.” At the same time, the EU GDPR legislation suggests that “Data protection means keeping data safe from unauthorized access. Data privacy means empowering your users to make their own decisions about who can process their data and for what purpose.”
It seems to me there are two parts to Data Privacy, one is to do with customer consent for a company to hold and use their data. The other is to do with how data is handled by a company once consent has been given. This second point could be broken down further into the uses to which the data is put; and the protections that are in place for the storing, access, and transmission of client data.
One other thing to note is that as we build bigger and faster computer systems and internet-connected gadgets, the collection, processing, and exploitation of data becomes easier and the volume of data harvested is growing exponentially. Nevertheless, regulators around the globe are doing their best to keep up and the penalties for misusing or mishandling personal data are also going up. Under GDPR, data protection authorities in the EU can fine organizations up to 4% of their worldwide turnover. In the US fines can range from $2500-$7500 per violation for breaching state privacy laws. Penalties can be even tougher for those breaching HIPAA Privacy Standards, which can attract criminal sanctions.
With the rise of data gathering, and the rising consequences of failure to manage the gathering, storing, transmitting, and use of customer data, what can cyber risk quantification (aka CRQ) do to help?
I think it’s probably worth starting with what it can’t do. I think it’s clear that any cyber risk quantification tool, no matter how advanced, is not going to help in ensuring a company only collects data for which it has consent to collect. Equally, monitoring the use that company puts the data to is also unlikely to feature highly in the design of a CRQ tool. But when it comes to evaluating the protections you place around the data, then a cyber risk quantification tool that is collecting data from your environment to help you manage your security posture can definitely help.
Let’s take Balbix as an example. It starts by building a hardware and software bill of materials. So you can see where your data storage areas are. It identifies vulnerabilities that could be exploited to access your data including unencrypted transmission channels, and poor access management. It evaluates the state of your compensating controls. It helps identify gaps in security coverage on assets you know about and, in most cases, uncover a myriad of assets you didn’t even know existed. It uses dynamic threat intelligence to assess the exploitability of these vulnerabilities and aligns this to the MITRE Att&ck framework. It then calculates the likelihood of a breach and gives you targeted advice as to how to remediate or upgrade the protections you have in place.
For me, this is where CRQ tools like Balbix have the most to offer in the data privacy space. In helping to identify weaknesses in the storage, transmission, and access to data, and providing target advice on how to remediate.
This, of course, doesn’t stop an employee from taking a sheaf of papers full of customer data home with them on the commute and leaving them on the train. But it can give some comfort that the data you have been entrusted with has the proper protections as far as preventing unauthorized digital access.
With Balbix’s CRQ solution, security leaders can unify all of their cybersecurity data into a single comprehensive cyber risk quantification model. In doing so, everyone – from security analysts to the board – is provided with a view of cyber risk in dollars. This enables them to ensure the data they are entrusted with is truly protected.
To find out more about our CRQ solution, ask for a demo here.
Happy Data Privacy week everyone!