Data Impact

Introduction

Data are like pieces of a jigsaw puzzle and each piece of the jigsaw can have a greater impact when trying to piece together the jigsaw puzzle. How many of you (like me) start a jigsaw puzzle by seeking out the corner pieces, then the straight edges, and then start to group together the pieces, based on their colors (shades of green for areas of grass, trees, shades of blue for areas of sea, sky, etc.)?

Data assets are exactly the same. Some data assets are more impactful than others, whilst aggregated data assets have a greater value/impact.

Impact of Data Categorisation/Classification on Risk

Now, with the introduction of the new data privacy legislation/regulations it has become even more important for organizations to categorize/classify any personal data that they need to process, store or transmit and to understand that when different parts of the puzzle are brought together their risks can be significantly increased.

This is clearly shown in article 4 of the GDPR:

"Personal data means any information relating to an identified or identifiable natural person (‘data subject’);

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Take the components of an address, as an example.

1. Country of residence.
2. County of residence.
3. Zip Code/Post Code of residence.
4. Street name of residence.
5. House number of residence.
6. Surname of resident.
7. Forename of resident.

In isolation, these pieces of the jigsaw have little value for identifying a living data subject. However, when you piece all these together, I think that you'll agree that it is very likely that you will be able to identify that single data subject who resides at this address.

In PCI DSS, there are 2 categories of cardholder data that need to be safeguarded from harm:

• Primary Account Primary (PAN) - The long card number.
• Sensitive Authentication Data (SAD) - CVV, Track Data, PIN, etc.

As with personal data, where criminals can get hold of both of these data types, the risk substantially increases.

Note:

SAD relates to storage post-authorization.

Today's modern business operations are heavily reliant on data sets and as a consequence, it has never been more important for organizations to identify and classify their data assets, to understand the business needs for this data, to understand the data life-cycles and to identify any opportunities to decrease their data risks and to minimize the opportunities for compromising this data.

The Way Forward

If you think of each of your data asset types as being like different colored play pit balls, each color represents a different data type and attractiveness for criminals.

Now, imagine if your business had the opportunity to still have the same data sets (play pit balls) but having identified and categorized them, you decide that the risk is too great so you take the opportunity to transfer the risks to a third party. This third party de-colors the data sets (play pit balls), making them less attractive and valuable to an attacker and less impactful should your internal processes:

"Drop the ball!"

It should be noted that, as a result of the changing working conditions (Covid19 pandemic), the Ponemon Institute observed a significant increase in the average cost of a data breach:

$180?per lost or stolen record vs?

$161?for overall per record average

This can be achieved through the use of cloud-based Dual Tone Multi-Frequency (DTMF) or Tokenisation technologies. Suddenly, you no longer need to worry about securing and maintaining the systems, people, or processes involved with the processing, storage or transmission of your clear-colored play pit balls.

Conclusion

If data security or data protection is becoming a hassle or is giving you a cause for concern, it does need to be. It's all about balancing the risk to your data assets against what technology is available to suit your business operations.

By categorizing your data sets, understanding their values, risk assessing the data operations, and evaluating the security requirements, you will be better placed to understand what technology options could assist in reducing your worries and burdens.

Having done this you can make a more informed decision as to what options are the best fit for your business.