Save the Data: Keeping Data Privacy Off of the Endangered Species List

 Cyber & Risk

There are currently around 1 million species of plants and animals threatened with extinction. Up to 150 species become extinct every 24 hours.

Humans seem to be the leading cause.

14,717,618,286 records have been lost or stolen since 2013. 6,500,715 records are lost or stolen every 24 hours, that’s 75 records a second.

Humans seem to be the leading cause.

I had no idea the number of endangered species is so shockingly large. What I see more often in the headlines is another significant number, the number of breached data records that are now out in the wild, probably including yours. Looking at privacy from a security perspective, how can organizations better handle this situation?

Privacy isn’t security and security isn’t privacy, but there is an overlapping need across the two areas. When looking at a privacy program from a security lens, there are multiple areas where security can make an impact. One area is supporting the data security aspect of a privacy program.

Data Determination

One of the definitions of determination is “fixing or finding of the position, magnitude, value, or character of something.” Security can support a number of privacy and data areas: data identification, risk assessment, data protection, and data incident management. When looking at the definition of determination and the value that security can add to privacy, we can summarize the security approach to privacy and data as “data determination.” Using endangered species as an analogy, let’s walk through data determination.

1. Biological Classification and Taxonomy: Data Categorization and Mapping
2. Threatened and Endangered Species Determination: Data Risk and Impact Assessment
3. Wildlife Support and Conservation: Data and Security Engineering
4. Reporting Wildlife Crime: Incident Management Response

1. Biological Classification and Taxonomy: Data Categorization and Mapping

For a species to be considered endangered, it first must be categorized as a species, right? Biological taxonomy was created for multiple reasons, including assisting people to better understand the diversity of life as well as providing a way to clearly communicate those differences. This is also the same approach that organizations need to take with data. The first two items on the CIS CSC Top 20 controls list are about asset management and classification and apply equally to data.

2. Threatened and Endangered Species Determination: Data Risk and Impact Assessment

The IUCN Red List is the “world’s most comprehensive information source on the global conservation status of animal, fungi and plant species.” It has also defined an assessment process with specific criteria to fit species into multiple “red list” (threatened) categories. Similar to understanding threats to endangered species, we need to do the same with data. After data is identified and categorized, the organization must understand the impacts of its risks on individuals and on the organization. Start by reviewing the impacts to individuals; this will ensure you are reviewing the risks to your organization in the proper frame of mind.

3. Wildlife Support and Conservation: Data and Security Engineering

The National Wildlife Federation (NWF) is America’s “largest and most trusted conservation organization.” One of their goals is to reduce threats to wildlife, which could lead to endangerment. When looking at cybersecurity risk, it’s all about the intersection of threats, vulnerabilities, and assets (including data). Data risk analysis and assessment provides insights into how to better protect and secure that data through a set of controls incorporating people, processes, and technology.

4. Reporting Wildlife Crime: Incident Management Response

The U.S. Fish and Wildlife Services Office of Law Enforcement uses laws to protect wildlife and plant resources. The U.S. Fish & Wildlife Service also has a forensic laboratory which “is the only lab in the world dedicated to crimes against wildlife.” They examine evidence and use scientific approaches to help law enforcement in cases involving wildlife. If an incident occurs involving an endangered species, there’s a series of rules and protocols already defined that they follow and execute. Unfortunately, many organizations do not have well-defined incident response plans in place. In recent news, there continue to be multiple major data breach incidents and even the handling of customer messaging has been poorly managed. Data-related incidents usually require coordination from a number of teams; this coordination should be reviewed and practiced on an ongoing basis through tabletop exercises and incident response readiness activities.

Add Value with Security

Security can add value to a privacy program, particularly when it comes to data determination. Don’t let your customers become endangered due to how you’re handling their personal information (PI). Understand what you have, the risk to the individual, protect the individual’s data as best as you can, and be prepared to manage any fallout responsibly.

  1. Review how your organization is collecting, storing, and managing PI data. Do you have a comprehensive inventory of your PI data?
  2. Review the last couple of risk assessments performed against your PI data. Is there a repeatable process in place to assess the risks to PI data from an individual’s perspective? Does that process favor the individual’s perspective over the organization’s?
  3. Look at the controls currently in place as well as initiatives planned for the next year. How is your security team providing support to protect your data both onsite and offsite?
  4. Review the output from your last quarterly incident response tabletop. Was it attended by multiple business units? How useful were your response plans? What were the action items out of the tabletop and were they implemented?

About the Author

matthew karnas

Matthew Karnas is the Cybersecurity & Risk Practice Lead at Sila. He has 18 years of experience providing professional services to Fortune 500 companies and government agencies across multiple verticals. He brings a unique mix of both technical and functional experience advising on information technology, cybersecurity, and risk management practices and approaches to drive client successes.