Global online business practices changed significantly with the introduction of Europe\u2019s General Data Protection Regulation (GDPR) in 2018, considered the first data privacy regulation with any real teeth and the potential for significant fines. The effects aren\u2019t confined to Europe, of course, because they apply to anyone doing business with European natural citizens.<\/p>\n\n\n\n
Despite the potential for extremely stiff fines and reputation damage when it comes to data privacy non-compliance or exposures, most enterprises aren\u2019t able to fully comply with GDPR or similar data privacy regulations because they don\u2019t have a good handle on all the places where personally identifiable information (PII) is being collected, transmitted, stored or inadvertently exposed in their extended IT ecosystem.<\/p>\n\n\n\n
That makes mapping, monitoring and security-testing your extended IT ecosystem a prerequisite for identifying where GDPR-relevant data (or systems) may be exposed, and to pinpoint security issues related to those assets that could result in breaches of those systems or data. A particular challenge for GDPR is the \u201cunknowns,\u201d which CyCognito calls shadow risk. Research (described below) shows that organizations are ignoring much of that risk. To reduce the risk of violating GDPR and other data privacy regulations, it is critical that your enterprise continuously discover and test all of the assets in your entire\u00a0attack surface<\/a>\u00a0with methods tuned to identify unknown, unmanaged and abandoned assets, whether they are on-premises, in the cloud or in subsidiary and third-party environments.<\/p>\n\n\n\n To emphasize the criticality of this approach, let\u2019s take a look at what\u2019s happened since GDPR went into effect in May 2018:<\/p>\n\n\n\n Most enterprises have also vastly expanded their IT ecosystem since 2018 with the adoption of cloud and digital transformation initiatives and don\u2019t have visibility to their entire attack surface, which makes it virtually impossible to be in compliance with data privacy regulations.<\/p>\n\n\n\n For example, as we know from our work with leading enterprises, it is not uncommon for assets from acquired subsidiaries to be unknown and\u00a0unmanaged even by the subsidiaries\u00a0themselves, much less the central IT and security teams\u2026 and you can be fined for non-compliance for breaches that occurred even before you acquired the company.\u00a0<\/p>\n\n\n\n Despite the fact that not being aware of all the assets in their attack surfaces can have significant consequences, most enterprises don\u2019t take a broad enough view of their attack surfaces and their related exposures for effective digital risk management. A\u00a0recent survey by CyCognito and the Enterprise Strategy Group (ESG)<\/a>\u00a0of cybersecurity and IT professionals revealed that more than 45% of respondents do not include SaaS applications, public cloud workloads, and partners\/affiliates in their definition of “attack surface.” For example, an abandoned marketing landing page in the cloud could collect PII or credentials and store them in an unmanaged database; similarly, other unknown, unmanaged or abandoned assets could provide a pathway into customer information in an internal network via remote servers or external databases.\u00a0\u00a0<\/p>\n\n\n\n What are the implications of all of the above?<\/p>\n\n\n\n Knowing where all the PII you\u2019ve collected is in order to comply with data privacy regulations around the globe, including GDPR, requires that:<\/p>\n\n\n\n But you can\u2019t protect data you can\u2019t see<\/strong>; nor can you assure customers\/citizens and regulatory bodies that your organization is complying with applicable data security laws if you haven\u2019t examined the hidden recesses of your unmanaged, unknown extended attack surface for all the places that PII is being collected, transmitted, stored or inadvertently exposed. <\/p>\n\n\n\n Obvious locations are:<\/p>\n\n\n\n But what about:<\/p>\n\n\n\n Regulatory compliance is crucial from a business reputation and a bottom-line perspective. At the best practices level, compliance is a beneficial by-product of effective security processes. The\u00a0CyCognito platform<\/a>\u00a0offers pioneering capabilities so that you can reduce your digital risk and better comply with data privacy regulations. It identifies hidden assets and attack vectors \u2014 including locating assets where PII could be inadvertently exposed \u2014 across your entire attack surface.<\/p>\n\n\n\n Talk to us<\/a>\u00a0to learn more about how we can improve the quality of your security and streamline and improve your compliance initiatives.\u00a0<\/p>\n\n\n\n 1. https:\/\/www.infosecurity-magazine.com\/news\/carrefour-handed-37-million-gdpr\/<\/a> Learn how effective digital risk management solutions can help you to comply with data privacy regulations including GDPR by mapping your attack surface.<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[105,9,113,112],"class_list":["post-356","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-cloud-security","tag-cybersecurity","tag-gdpr","tag-pii"],"yoast_head":"\n\n
steadily increasing with large corporations based in the U.S. as well as Europe among those facing hefty multimillion dollar penalties. 1, 2 <\/sup><\/li>\n\n\n\n
For example, the California Consumer Privacy Act (CCPA)4<\/sup> went into effect in January 2020. Like GDPR, it gives consumers more control over the personal information that businesses collect about them:
<\/li><\/ul>And 132 out of 194 countries have legislation to secure the protection of data and privacy according to the United Nations Conference on Trade and Development.5<\/sup> To name a few:\n\n
\n
\n
\n
2. https:\/\/www.nytimes.com\/2019\/01\/21\/technology\/google-europe-gdpr-fine.html<\/a>
3. https:\/\/www.enforcementtracker.com\/?insights<\/a>
4. https:\/\/oag.ca.gov\/privacy\/ccpa<\/a>
5. https:\/\/unctad.org\/page\/data-protection-and-privacy-legislation-worldwide<\/a>
6. https:\/\/en.wikipedia.org\/wiki\/Bundesdatenschutzgesetz<\/a>
7. https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/pipeda_brief\/<\/a>
8. https:\/\/www.saica.co.za\/Portals\/0\/Technical\/LegalAndGovernance\/ms_20200622_POPIA_Sections_Commencement.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"