Foreword
Security is all of our concern, whether you are a receptionist or an engineer, and whether you work in an office or from home.
We all have a part to play, in ensuring our organisations and systems stay secure.
As we continue through Cyber Security Awareness Month (CSAM), I wanted to ensure that people are aware of some of the 'core' security concepts.
Over the course of CSAM, I will be writing posts about aspects of cybersecurity / mainframe-security.
In today's post, following the recent IBM Z Day, I'll be elaborating upon the tangible value of data.
|
A Quick Introduction
Data is money.
When we think of money, we have this notion that it must be kept safe...
Bank vaults, combination locks, private safes filled to the brim with wads of hard cash.
Shouldn't we apply similar principles to data?
That's a rhetorical question: Of course we should.
|
Why is Data such a big deal?
The world is more connected than ever, which is both a blessing and a curse.
For better or worse, modern networks can connect everything from office computers and bank accounts to baby monitors and pacemakers
Privacies that we may have previously taken for granted are being steadily exploited in exchange for frictionless convenience: As a society, we are willing to trade our personal information in return for assistance in our transactions and services.
But that rise in convenience is coinciding with the erosion of trust.
Personal data is being compromised, stolen and leaked with disturbing regularity.
Many corporate promises made about data privacy ringing hollow, so is it any wonder that increasing numbers of people believe that their data is less secure than ever before.
For example, a 2019 survey of 24 countries found that 80% of respondents were concerned about online privacy, with one-in-four saying they did not trust the internet.
As a society, we are effectively trading our information for faster checkouts, despite understanding how likely it is that said information will be leaked.
|
Data: The Universal Currency
The Universal Currency: Data
We know that data is a big deal and we understand why people are concerned about its safety.
But we still need to understand how much data is really worth...
In the modern era, the global economy revolves around digital technology and data is the most valuable commodity on the market.
The role that data plays in innovation and new technologies is critical, with vast numbers of organisations shifting towards a "data-driven" approach to make better decisions that suit their organisation, based on the insights generated by data.
First coined by British Mathematician and Data Science Entrepreneur, Clive Humby, the saying "data is the new oil" is very apt considering how valuable data is to the digital economy.
Depending on numerous variables (where you live, your line of work, which hobbies you take part in, etc...) information about you could be worth at least several hundred dollars a year to companies like Alphabet, Meta, Amazon, Microsoft and Apple.
For the average person living in the USA, their data generated almost $400 per year to Google and over $200 per year to Facebook, according to Proton's analysis of their regulatory filings.
That's roughly $600 annually per user, and we aren't even taking into-account other businesses like Instagram, TikTok, Uber, etc...
Overall, your data could be worth well-over $2000 per year between all of the various businesses that collect this.
|
Data Brokers: The middlemen running the markers
The Privacy Rights Clearinghouse reported that there are currently 270 data brokers in the world who collect and sell all kinds of personal data.
Where do these brokers procure this information? Thousands of "leading brands" sell information to data brokers, causing your data to be held across various databases.
For example, if you signed up for a loyalty card at a clothing store, your information might be sold to companies looking to market to pet owners.
Despite "Data Brokering" being a relatively new industry, brokers already have information for a pretty sizable amount of the population - A single company Acxiom purports to have data from 2.5 billion different people in 2023.
In theory, by the end of 2024 a single data brokering company may have data from an entire third of the worldwide population.
|
The (im)morality of Data Brokering
The morals of data brokering is highly questionable.
Most people don't realise quite how much of their data is being procured by these brokers, nor do they realise exactly what data of theirs is being traded by said brokers.
While it's easy to think "ignorance is bliss" until we understand what information may be known about us, from our credit scores and medical history, to our past traumas.
Pam Dixon, executive director of the World Privacy Forum, revealed at a congressional hearing that she had found data brokers selling information about people with health conditions like anorexia, substance abuse, and depression.
Undoubtedly the worst of these was a "Rape Sufferers List" sold by MEDbase 200, which was taken down following an inquiry from the Wall Street Journal.
It's upsetting how much money these brokers can make from information about our traumas.
|
What is your data worth?
The value attributed with data can vary wildly, especially when comparing perceived worth against recorded sales values.
According to a survey from SailPoint Market Pulse, one in five employees would sell the passwords to their work accounts, with 44% willing to sell for $1,000, while others would sell for less than $100.
Experian CheetahMail conducted analysis of client email data, finding that the average email address is worth $89 to a company over a prolonged length of time.
Focusing on revenue, it was estimated in 2012 that the data brokering industry generated a whopping $150 billion from its operations. Adjusting for inflation, that is $210 billion now, before we even account for the additional data they would have received in the last 12 years.
As it happens, we don't need to adjust for inflation: The Data Broker market size was valued at $252.12 Billion in 2023 and market analysts expect this to continue growing rapidly.
We must also consider the Dark Web / DarkNet, where people will pay for hacked accounts or personal details of people, with prices outlined in the Privacy Affair's dark web price index as illustrated below...
|
The penalties of not securing data
As discussed earlier, our personal data generates hundreds of dollars per year to companies like Google and Facebook according to analysis from Proton, being worth thousands of dollars overall between all of the various businesses that may want to utilise this.
But what are the financial implications for organisations that promise to keep our data secure?
The fine for data breaches outlined in the General Data Protection Regulation (GDPR) states that the penalty may be as expensive as 20 million euros or 4% of an organisation's total global turnover from the preceding fiscal year (whichever value is highest).
Related to this, the financial penalty for violating Digital Operational Resilience Act (DORA) will cause organisation to incur a maximum fine of 2% of their total annual worldwide turnover, or 1% of the company's average daily turnover worldwide.
It can be anticipated that when the European Supervisory Authorities (ESAs) impose penalties like these to a company that failed to comply with DORA and GDPR, said company will surely be in a state of financial peril.
Outside of these penalties, people will also lose trust in the organisation that let them down, which can result in customers choosing to disaffiliate with said organisation.
According to IBM's Cost of a Data Breach Report 2023, the average cost of a data breach was $4.45 Million USD: Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report.
Worse still, data breaches initiated by malicious insiders were 9.5% higher, costing an average of $4.90 Million USD.
|
Final Points
Some people on the internet criticized the phrase for comparing data to oil.
Unlike oil which is a scarce commodity, data is not a finite resource and can be reused.
However, just like oil, the handling of data should be regulated.
It's estimated that 90% of the entire world's data was created in just the last two years.
The amount of data created in 2023 currently stands at somewhere in the region of 120 zettabytes; for scale, a zettabyte is made up of a trillion gigabytes.
As a connected worldwide community, we cannot afford to act with wanton disregard when there is so much personal data in the ether.
------------------------------
Niall Ashley (he/him)
Consultant in Mainframe Security (RACF)
Vertali Ltd
------------------------------