In the age of hacks and breaches, data can quickly become a sore spot for any company who collects or distributes it. Recently, Facebook’s major stumble involving the exploitation of its users’ information by Cambridge Analytica shone a particularly harsh spotlight on the issue of data and how it’s used.
“The recent attention on data security and usage has really created a groundswell of companies having a new level of concern, if you will, around what’s happening with their data,” said Todd Marlin, US principal specializing in forensic technology, data analytics and cyber security from EY’s Forensic & Integrity Services practice. “Is that data being used in the way that they’re allowing organizations to use it?”
At the same time, the standard ways of tracing the path of data and its various applications aren’t cutting it anymore.
“Historically, the way that these organizations are getting comfortable about that is through traditional methods, like a questionnaire – how are you using our stuff, who has access to it, how are you securing it? Ask yourself this: do you really know whether that’s true or not?” said Marlin. “Obviously we can’t forensically investigate everybody, so how do we come up with a sensible way to test that?”
One answer is conducting pro-active forensic analysis to look into potential areas of risk, meaning that the compliance and risk managers today not only needs to understand their own company’s data – where it came from and where it’s going – but how it’s also being operated on by others and what decisions or assumptions have been made about the data along the way.
“In the same way where they’re looking outside what’s happening with their data – with the rising of litigation and the four-letter word GDPR – organizations are really trying to get a handle on what data do they have, where is that data, who has access to it, and then how are my models constructed – what data have I used to train those models, what are the outputs – and really understanding all of that,” outlined Marlin.
Understanding the what, where, who and how about data is part of the solution, but there’s still a dismissive psychology around security and people are still the weakest link in the equation.
“For this to actually change, we have to figure out how to address the psychology aspect of it, to get people to embrace that this is as important as paying attention to watching the road when you’re driving a car,” Marlin told Corporate Risk and Insurance, though he added that organizations are taking cyber threats more seriously even if they can’t protect against every threat. “Let’s be honest, there’s a cost-benefit analysis that everybody goes through because even if you have unlimited capital, you could not mitigate every risk in the world.”