Happy Day After (Data Protection Day ™)!
You probably also believe it is "important" (perhaps even "very") to protect personal data. But let's be honest, you just do it at a practical minimum because the law says so. NOYB.eu has the data in their most recent report.
But do you grasp why #dataprotection is an important responsibility to yourself as well? Spoiler: it's not in the fines, that's a negligible risk anyway (or a business case). It's because someone else's data breach is a risk to your own security in just three simple steps.
Meanwhile in Far, Far Away 🏖️
Imagine a random app or corp leaks your name and home address. No big deal right? Nothing to hide, at least the password was hashed, you can't access accounts with just an IBAN etc.
Now, an address constitutes a location. They have coordinates. And there are internet-connected devices on those coordinates.
So someone thought to build a search engine for them: Shodan.
What if.... I took a random address in the Netherlands, and had a look at what it can find out of the box? Well, that's SCARY.
3160 critically vulnerable routers 🚨
Because now i know, for a single busy -random- neighbourhood in NL, there's 3160 routers and connected devices that have an unpatched critical vulnerability - meaning it's public knowledge how to get into those routers and home networks, and execute code remotely on them. That's right, thousands of open doors into homes. Oh irony: many are security cameras....
Now, some handrails to reason that's not on you (this goes well in your next board I'm sure):
- "It's not my responsibility they run unpatched software."
- "Nothing scanning software can't find, we're not amplifying the problem - it was there all along!"
- "Everything has been leaked already anyway"
- "Cars are used for crimes too - that's not on the manufacturer."
- "We just sell X, none of my business".
But it is at your doorstep 😳
Here's an angle that might work: everyone is amplifying everyone's issue. Your employees are someone else's customers. I can see about 10 hostnames (like intra.company.com) that give away there are employees using a corporate VPN, and crosslink it with vulnerable devices. Bingo 🥳. That suddenly brings that random data breach in Far Far Away at your doorstep as easily as Amazon delivers your parcels.
Now, you can't patch someone else's routers (or even for your employees). Your VPN probably safely tunnels all traffic. They received a security "training". But then still - all it takes is just a tiny misconfiguration (SecOps are humans, too).
So you CAN make sure to protect data to make it unusable if your own security goes sideways.
No need to be the first mover, of course...
(but if you DO care enough, PACE can help)