We talked in a previous blog about how it was important to know what you have. The previous blog focused on an inventory of your software and devices. It is also vital that you understand what data you have. Why?
Different types of data are of different interests to attackers. For example, if you have social security numbers you might attract attackers looking to perpetrate identity theft crimes. If you work in the clean energy sector you might attract big oil attack dogs. If you work in defense you might attract nation state attackers. Why is it important to know your type of attacker?
Attackers have a value proposition to maintain same as anyone else. If you have no data that benefits them, then they are not going to put a ton of resources into breaking in. If what you have is super enticing to them, they are going to put a lot more effort in. Your effort will have to correspond. The more sensitive data you have the more effort you will have to put in to protecting it.
The other aspect of this is regulations. Regulations are a patchwork across different jurisdictions, but the big thing to understand is that it is generally made up based on data types, functions and locations. For example, if you have credit card data you will have to comply with the rules from the Payment Card Industry. If you have Controlled Unclassified Information (CUI) from the DoD, you will have to meet the Defense Federal Acquisition Regulation Supplement (DFARS)/Cybersecurity Maturity Model Certification (CMMC) rules. In some states like NY, if you operate a financial institution you will have specialized industry specific laws. The Securities and Exchange Commission also as rules for publicly traded companies. If you collect consumer information, you will have to worry about privacy laws based on both your location and your customers location. Different states have different privacy regulations as does the European Union. The big take away with regulations is that while it is a patchwork understanding your data and knowing where you and your customers are based is the secret to knowing what applies to your organization.