WHO DO YOU WANT TO BE INTERESTED IN MY DATA
Thinking that your company data is not interesting to those who "professionally" steal it through increasingly sophisticated cyber attacks is one of the most common mistakes made by private companies and public institutions. It is enough to simply retrace the daily data entry activities of a common company, be it small, medium or large, or of a government body, to understand why one's data can be interesting for many.
THE DATA CONTAINED IN ERP and CRM
No company now does without an ERP system, much less a CRM (or at least it should...). Data is an inexhaustible source of constantly evolving information, in whatever field you operate. Therefore, one cannot ignore feeding one or more DATABASES and analyzing them with the most varied and sophisticated reporting techniques, in order to improve one's business efficiency. Whether we are talking about production, sales, marketing, logistics or service provision, data analysis to refine your level of business accuracy is vital. It therefore follows that DATA, especially those deemed SENSITIVE, are as interesting for the companies that feed them, query them and store them, as for those who steal them, thus making it a profitable illegal activity.
WHO BUYS THE DATA AND WHY
Just as happens with the receivers of precious and rare goods (stolen art objects or archaeological finds), who have their own network of international buyers, interested in that type of good as long as it integrates, in the same way, hackers from all over the world world have their own network of buyers of sensitive data. If a "data" is intact and readable by anyone, it will also be very resalable on the market, to start future phishing activities or simply, to be resold in turn, in a spiral of endless international traffic of sensitive data.
CLASSIFICATION LEVELS FOR ITALY (ACN source)
The communication from the National Cybersecurity Agency relating to data classification levels has recently been published:
STRATEGIC: services whose compromise could impact national security
CRITICAL: services whose compromise may cause damage to the maintenance of functions relevant to society, health, safety and the economic and social well-being of the country.
ORDINARY: services whose impairment does not cause prejudice to the economic and social well-being of the country
THE RESPONSABILITY'
Although it is "legitimate" to think that an exfiltration of sensitive data, compared to a DDoS ransomware attack, has less impact on the functionality of your company's information system, in reality the collateral damage caused by the exfiltration itself could be absolutely comparable, even if in different terms. The level of responsibility that the regulations impose (GDPR) and will impose in an increasingly stringent manner (NIS2) on the conservation and protection of third party data present in its company database, will trigger very high fines in the event of their fraudulent exfiltration, thus affirming a fundamental principle that has been applied in other countries for some time, namely, that the protection of that data is the responsibility of those who actually feed and store it.
CONCLUSIONS
Taking concrete actions towards the issue of sensitive data protection by thinking exclusively of regulatory imposition or the hysteria of the contingent moment generated by a cyber attack is reductive and at the same time misleading. If you really want to deal with new cyber threats, you need to adopt a conscious and multidisciplinary posture on the topic of cybersecurity in its entirety. For these reasons, it will be essential to anticipate the times, taking into serious consideration all the aspects that concern it, even the apparently less tangible ones, such as the reputational damage that may result and naturally, the "prejudice" that could be generated.