Do you know how many times your personal data has been breached?
The OAIC says a data breach occurs "when personal information is accessed, disclosed without authorisation or is lost".
Given the volume of data we consume and exchange every day with dozens of digital services there are many possibilities for data to be "accessed" or "disclosed" without our authorisation.
As an individual your personal email address is often your default login for many online services. In a click you can check if your own email addresses are among the more than 9 billion compromised accounts identified so far by haveibeenpwned ... and this will only show you the tip of the data breach iceberg!
It will get worse before it gets better...
After you've read retrospectives for 2019 or the past decade you're probably thinking "chances are high that some of my personal data have been in the wrong hand, somewhere, for some time". If you are lucky it is just your name and email address. If you are less lucky it could be your current credit card, medical data, fingerprints, even your whole country tax information with name, address, revenue and which vehicle you drive!
As we continue to move so much of our life and business activities into the digital space, we continuously expand our attack surface in the process, and we know that our daily web interactions and activity are shared with hundreds of organisations every single time we surf the web.
We collectively fail to grasp the complexity of threats to our digital lives and assets, such as the hybrid warfare being played in the background
What if the risk of doing nothing could cost $10 Billion?
In 2017 highly sensitive personal and financial information on around 148 million customers (44% of US population) were breached at Equifax. Equifax could end up paying as much as $9.5bn based on the recent settlement. The hackers exploited a vulnerability for which a patch had been available for at least 2 months.
In June 2017 the NotPetya ransomware resulted in more than $10 Billion of damages to global businesses according to a White House assessment quoted by Wired. The patch had been available for 3 months.
Over the past 5 years, the FBI Internet Crime Complaint Center (IC3) received 1.7m complaints resulting in more than $10 Billion total losses ($3.5B just for 2019): "The most prevalent crime types reported in 2019 were Phishing/Vishing/Smishing/Pharming, Non-Payment/Non-Delivery, Extortion, and Personal Data Breach. The top three crime types with the highest reported losses were BEC (Business Email Compromise), Confidence/Romance Fraud, and Spoofing." We discussed the still relatively high success of phishing campaigns in my previous article.
When some or all of your credentials and data are compromised, lost, or held to ransom, you put at risk your company's privacy, finance, jobs, reputation, and potentially even lives of your employees, customers and citizens. Many of the most impactful cybersecurity events over the past 3 years exploited vulnerabilities with an existing patch (how fast can you patch?), while others leveraged social engineering and phishing (which users should you trust?) and more advanced computer intrusion techniques (how secure are your IT systems?).
As an organisation, what could you do to improve your security posture?
The public cloud is a model that allows you to shift some or most of security management responsibilities to your cloud service provider, depending on the service model you choose: IaaS, PaaS or SaaS. The cloud allows you to focus on your core business rather than fighting for a limited pool of cybersecurity talent. The key is to identify tier 1 cloud service providers which actually put security at the core of everything they offer.
While you can improve many aspects of your IT security by moving to the cloud, let's talk about 3 areas that should improve after you have moved to the cloud:
I welcome any feedback, likes and repost, and opportunities to discuss live what this topic means for your organisation.
Enguerrand (Engy) Blanchy, Head of APAC Cloud Technology
Engy and his team help Oracle’s largest and most regulated customers across APAC understand how Oracle operates and secures its market leading SaaS applications. Previously Engy was heading Accenture’s Cloud Strategy practice in ANZ. Engy spent nearly 20 years in various technology consulting roles in France and Australia, including cloud product offer development and go-to-market, cloud sales enablement and IT transformation delivery.