Reducing CISOs’ risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey you’re leaving behind a digital trail that can be picked up by data brokers. These are businesses that compile your personal information and sell it.
CISOs need to understand how data brokers operate and how to protect themselves against them. Here are some ways they can do so.
Identity Theft
Data brokers are companies that collect and sell personal information, such as names, phone numbers, addresses, birth dates, credit card information and more. They are a lucrative industry that is growing rapidly as more and more people share their personal information online. These firms can use your information to build a profile of you and market products or services that may interest you.
However, your personal information can also be sold to third parties who don’t have your best interests in mind. These third parties can use your personal information to engage in identity theft or to commit other fraudulent activities. In addition, your personal information could be used by law enforcement or government agencies to monitor or investigate you.
Ransomware attacks are becoming increasingly sophisticated. Cybercriminals are now able to extort not just for the ransom, but for the publishing of the stolen data. This double-extortion model is quickly raising the stakes for CISOs.
CISOs are focusing their attention on eliminating the potential for business disruption, whether through better backup systems or redundant systems. They are looking at ways to minimize the impact of data loss and exposure by hardening perimeters, improving encryption, and ensuring business-critical applications are isolated from non-essential systems.
In addition to the traditional costs associated with data loss, CISOs are concerned about the potential damage to their reputation when sensitive personal information is exposed or held hostage by cybercriminals. One healthcare CISO commented that they see the cost of ransomware as no different than the cost of a major power outage, as the company still incurs a direct cost for an outage that prevents production.
While many CISOs see business disruption as the most significant risk to their organization, others are more focused on the potential for data loss and exposure. As a result, some are adopting new strategies to mitigate this risk by moving their focus from prevention and remediation to detection and response.
With a number of new privacy laws, such as CCPA and Vermont data broker regulation, coming into force over the next few years, it is important for CISOs to act as a translator and guide their teams through the wild west of state-level regulations. A reactionary CISO will struggle to keep up, while a proactive leader will use a gold standard framework that is already being used by regulators to draft future standards (NIST CSF).
Third-Party Use
Data brokers essentially aggregate your personal information into a profile and then sell it to third parties. That may include companies that use it to deliver targeted online advertising or email messages, as well as businesses that use it to tailor their product offerings or marketing messages. Even credit scoring agencies sometimes purchase data from brokers in order to determine your risk level and reflect that in your credit score.
The problem is that you have little control over who gets your data and how it’s used. And while some of the uses are benign, others can be dangerous and privacy violations occur. This is particularly true when third-party companies are given access to your personal information and use it in ways you may not approve of. For example, you might receive unwanted telemarketing calls or targeted online ads based on your purchasing behavior.
Similarly, the information hosted on data broker sites is useful to cybercriminals looking for their next target. This is especially true when it comes to the reconnaissance phase of a spear phishing attack. Spear phishing involves posing as a friend, family member or familiar business contact in an attempt to get a victim to disclose sensitive information or download malware. Cybercriminals can use the compiled profiles on data broker websites to create more realistic-looking emails or texts.
These sites can also be useful to threat actors trying to execute CEO fraud or other types of impersonation attacks. These attacks are primarily based on reconnaissance, which involves finding out what an executive’s personal and professional contacts are, who they work with and what their roles are within the company. Using the information hosted on data broker sites, threat actors can make their impersonation emails look more legitimate and likely to be clicked on by their targets.
Thankfully, there are steps you can take to limit the danger of data brokers. The most obvious is to remove your name and other personal information from data broker sites whenever possible. This requires a powerful identity protection solution that can not only manage takedowns on your behalf but also continuously monitors these data broker sites for your information to re-appear.
Government Agencies
CISOs oversee the entire information security domain of their organization. This entails determining what resources are needed and how they will be apportioned, and interacting with other departments. In addition, CISOs are often the face of infosec in interaction with outside actors. This includes liaising with regulatory agencies and policymakers, as well as law enforcement. Familiarity with current data privacy regulations is also crucial.
The main danger of data brokers is that your personal information can end up in the hands of third parties, who may use it for purposes that you do not approve of. For example, you might be bombarded with targeted ads that aren’t relevant to your interests. This can be annoying and intrusive, especially if you don’t get to choose the ads that appear.
Another danger is that your information can be used by government agencies, such as police or immigration officials, who might use it to monitor you or investigate a crime. Having your information with data brokers can give them access to a detailed profile of your activities that can be difficult for you to dispute, even if it’s inaccurate or incomplete.
A third potential threat is that your information might be sold to other businesses that use it for marketing or advertising purposes. For instance, a car dealership might use information about your browsing and buying habits to tailor its advertising to you. Likewise, political parties might use your data to target you with political messages during election campaigns.
While it is a good idea for businesses to compile data on consumers so that they can provide better products and services, it’s important that individuals have control over how their information is used. Fortunately, there are ways to limit the risks of using data brokers.
One option is to use a service like Brand Yourself, which scans for your information across major data brokers and provides a list of the ones where it has been collected. Alternatively, you can check out the Privacy Rights Clearinghouse’s comprehensive list of data brokers and their privacy policies, which includes details on how to opt-out of their data brokerage programs.
Data Breaches
CISOs must have an effective plan in place to stop data breaches and mitigate the impact of them. The first step is to identify the information involved in a breach. This includes personal information, confidential business information and other proprietary information that could be used for nefarious purposes by cyber criminals. It also includes information that is a matter of national security or public safety.
Most often, a breach occurs when sensitive information is copied, transmitted, viewed or stolen from an organization. It can be a malicious attack by hackers or it could be the result of human error.
Cybercriminals often target small businesses to gain access to their personal information for financial profit or simply to cause damage. This can affect customers, employees and the company’s reputation. PII can be sold to data brokers and used for identity theft or other crimes. Data brokers also sell customer information to marketers, making it easy for them to target their marketing campaigns.
The most common reason for a breach is a malicious attack by hackers. These criminals use a variety of tactics to gain access, including phishing attacks, malware and password hacking. They are able to steal large amounts of data, including customer records and trade secrets. They can even target specific individuals and cause significant harm.
Other reasons for a data breach include an accidental disclosure by an employee, an insider attack or a flaw in a system. The latter can occur when an administrator uses a password that is known by someone else or when software vulnerabilities are exploited by attackers. Physical loss or theft of portable drives, laptops, office computers and other equipment also causes a data breach.
In addition, a data breach can be caused when a company’s servers or sites are compromised. The most important thing is to contain the breach and ensure that other parts of the network are not affected. This may require a review of service providers and ensuring that they have the appropriate security measures in place.
A ciso who is concerned about the dangers of data brokers should develop a cybersecurity program that includes a process to remove personal information from these companies. This will help protect consumers from identity theft and other cybercriminal activities.
