The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us

The knowledge you need to manage and protect your attack surface.

What's New Blog

Despite Tough Regulations, Tracking PII Remains an Ongoing Challenge

By CyCognito Staff
Rule Your Risk
December 23, 2020

Global online business practices changed significantly with the introduction of Europe’s General Data Protection Regulation (GDPR) in 2018, considered the first data privacy regulation with any real teeth and the potential for significant fines. The effects aren’t confined to Europe, of course, because they apply to anyone doing business with European natural citizens.

Despite the potential for extremely stiff fines and reputation damage when it comes to data privacy non-compliance or exposures, most enterprises aren’t able to fully comply with GDPR or similar data privacy regulations because they don’t have a good handle on all the places where personally identifiable information (PII) is being collected, transmitted, stored or inadvertently exposed in their extended IT ecosystem.

That makes mapping, monitoring and security-testing your extended IT ecosystem a prerequisite for identifying where GDPR-relevant data (or systems) may be exposed, and to pinpoint security issues related to those assets that could result in breaches of those systems or data. A particular challenge for GDPR is the “unknowns,” which CyCognito calls shadow risk. Research (described below) shows that organizations are ignoring much of that risk. To reduce the risk of violating GDPR and other data privacy regulations, it is critical that your enterprise continuously discover and test all of the assets in your entire attack surface with methods tuned to identify unknown, unmanaged and abandoned assets, whether they are on-premises, in the cloud or in subsidiary and third-party environments.

To emphasize the criticality of this approach, let’s take a look at what’s happened since GDPR went into effect in May 2018:

  • The rate of GDPR non-compliance fines assessed and the size of penalties has been 
    steadily increasing with large corporations based in the U.S. as well as Europe among those facing hefty multimillion dollar penalties. 1, 2 
  • “Insufficient technical and organizational measures to ensure information security” is the second most common reason for being fined for a GDPR violation, behind “Insufficient legal basis for data processing.”3
  • Other regions around the globe have enacted or amended similar regulations:
    For example, the California Consumer Privacy Act (CCPA)4 went into effect in January 2020. Like GDPR, it gives consumers more control over the personal information that businesses collect about them:
    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.
    And 132 out of 194 countries have legislation to secure the protection of data and privacy according to the United Nations Conference on Trade and Development.5 To name a few:
    • Bundesdatenschutzgesetz (BDSG), the world’s first data protection law, was updated in 2018 to incorporate GDPR.6
    • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was updated in 2019.7
    • Essential segments of South Africa’s Protection of Personal Information (POPI) Act went into effect in July of this year with more to follow in 2021.8

Most enterprises have also vastly expanded their IT ecosystem since 2018 with the adoption of cloud and digital transformation initiatives and don’t have visibility to their entire attack surface, which makes it virtually impossible to be in compliance with data privacy regulations.

For example, as we know from our work with leading enterprises, it is not uncommon for assets from acquired subsidiaries to be unknown and unmanaged even by the subsidiaries themselves, much less the central IT and security teams… and you can be fined for non-compliance for breaches that occurred even before you acquired the company. 

Despite the fact that not being aware of all the assets in their attack surfaces can have significant consequences, most enterprises don’t take a broad enough view of their attack surfaces and their related exposures for effective digital risk management. A recent survey by CyCognito and the Enterprise Strategy Group (ESG) of cybersecurity and IT professionals revealed that more than 45% of respondents do not include SaaS applications, public cloud workloads, and partners/affiliates in their definition of “attack surface.” For example, an abandoned marketing landing page in the cloud could collect PII or credentials and store them in an unmanaged database; similarly, other unknown, unmanaged or abandoned assets could provide a pathway into customer information in an internal network via remote servers or external databases.  

What are the implications of all of the above?

Knowing where all the PII you’ve collected is in order to comply with data privacy regulations around the globe, including GDPR, requires that:

  1. You know where the PII is in order to share it back or delete it promptly should the data owner request it. 
  2. You know where it might be exposed so that you can comply with post-breach reporting requirements, which can result in substantial fines if defined breach disclosure procedures are not conducted within specified timeframes. 
  3. And it goes without saying, you must protect the PII you’ve captured to avoid the breach in the first place, maintain customer trust and protect your brand.

But you can’t protect data you can’t see; nor can you assure customers/citizens and regulatory bodies that your organization is complying with applicable data security laws if you haven’t examined the hidden recesses of your unmanaged, unknown extended attack surface for all the places that PII is being collected, transmitted, stored or inadvertently exposed. 

Obvious locations are:

  • main websites, corporate and subsidiary 
  • known landing pages and marketing microsites

But what about:

  • shadow IT assets
  • unsanctioned cloud deployments 
  • microsites created for you by third-party vendors
  • abandoned servers
  • unknown subsidiary assets 

Regulatory compliance is crucial from a business reputation and a bottom-line perspective. At the best practices level, compliance is a beneficial by-product of effective security processes. The CyCognito platform offers pioneering capabilities so that you can reduce your digital risk and better comply with data privacy regulations. It identifies hidden assets and attack vectors — including locating assets where PII could be inadvertently exposed — across your entire attack surface.

Talk to us to learn more about how we can improve the quality of your security and streamline and improve your compliance initiatives. 



Recent Posts

Top Tags

CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.