Gartner : A Thought on Ransomware and Data Breaches for 2023

You've seen the years end and begin. It's been Sunday the 1st of January, maybe one last free day enjoyed, and now it's Monday the second. To time to also enjoy a working week again. Back to the office. What if:

Your car was suddenly driven by someone completely unknown. Sure, he drives you to the office where you intended to go in the first place, but then takes off and enjoys that thing himself. Weird huh? Something that is yours, is now used by someone else (too) and you did not agree at all. With our car, we call it theft (and quite a polite robber as well). With our data…

That's a data breach. Information was available to someone else where it should not have been. Subsequently it leads to misuse, abuse, wrong use or even secondary use while the primary goal is still achieved (what if they'd actually start driving you around everywhere and your ability to travel wasn't impaired at all?). You still feel it's wrong. Because it is.

Nothing new, right? And we've likely grown tired of the endless breach articles, let alone the notifications we DIDN'T get. But I'd like to put it to you that in 2023, we should be more aware of a different data breach. Often overlooked, failed to be recognized for what it still is. With cars, we still understand this. What if, instead:

You get out the front door, to find it's no longer there. Or maybe it is, but the key code has been altered and you can't get in. Or even if you can, there's sugar in the gas tank (or whatever nasty thing you can imagine that would immobilize you nonetheless). It now is not available to someone who should not have access, but it is definitively NOT AVAILABLE TO YOU.

That, too, is a data breach. Any situation where personal data is even potentially (i) available (ii) where it should NOT be (iii), or where it is NOT available where it should be (iv). Data integrity and availability are just as much critical elements of privacy and data protection programs as confidentiality is. We don't call that vandalism, we call that theft, too. Or at least (and that's the important part): 'loss of control'.

So may I suggest we in 2023 will agree on a few things?

- All data breaches are to be adequately responded to, whether by our own fault or that of others
- Fix the problem, not the blame
- Ransomware attacks ARE data breaches
- It is better to try and prevent a breach than to know how to respond to it. To those saying we can't prevent 100% I say I'm with you, but we can certainly do more in preparation than I observe is done today at times. Both remain relevant, but please let prevention prevail over 'it's okay, we have a breach response plan and it's tested'. Specifically when in part of that plan, there's no immediate recovery, recreation, or regaining control over data.

I do hope you will truly enjoy the work weeks ahead. 2022 has been a year full of blessings, and a fair few snags. Let's get into 2023 with the intention to

- Be responsible, and remain in control of the data we process, while letting go of what we no longer need.
- Speaking of which, perhaps we should in general try and do more of 'less', while pursuing 'more' a bit less.

Have a warm and wonderful 2023 everyone. Looking forward to our conversations!