Today, business leaders are struggling to effectively safeguard their data assets. Technologies for individuals, businesses and Governments are developing at an unprecedented rate. With new technology comes greater types and quantities of data, and with greater quantities of data comes even greater responsibility to pre-empt breaches. Brian Lee and Ian Beale examine how chief privacy officers and internal audit functions can ensure that data is adequately protected.
Data leaks can happen at any time, anywhere and affect any type of organisation. Without the right barriers in place, it’s very much the case that today’s hackers need not look too far in order to find a way in.
Recent newspaper headlines have led us to believe that such large-scale and “scandalous” cyber attacks are those about which we should live in fear. In the last year alone, the Sony e-mail breaches caused a great deal of alarm while private photographs of Hollywood celebrities were stolen from the cloud and realised much publicity in the process.
Conversations here in the UK have centred on the prospect of a draft Communications Data Bill, christened by some as the ‘Snoopers’ Charter’. Certainly, data companies are now compelled to hang on to their customers’ communication trails for far longer than was previously the case.
For their part, business leaders should be on guard about the danger posed by external threats. They ought to have the appropriate technology and security systems in place within their company to prevent fraudulent behaviour and unauthorised access to their data assets.
However, CEB has found that the real threat to data privacy exists within the four walls of the office. Unfortunately, CEOs are all-too-often distracted by such aforementioned high-profile cyber events that they can fail to see the risks occurring in their day-to-day operations. In fact, even a small blip – from a misdirected e-mail through to a lost memory stick – can cost hundreds of millions of pounds to resolve.
Internal errors by employees
CEB has analysed privacy failures from hundreds of organisations around the world and duly discovered that 59% of such failures occur internally due to employee errors. These errors vary from poor management of personally identifiable information to revealing something confidential on the phone, in a meeting or – worse still – via e-mail.
Last July’s unauthorised salary-sharing database that emerged at Google reflected the extent to which workers are now passing on confidential information more often – and via more channels – than ever before.
Employees are within their rights to hold their employer to account. However, in addition to this they’re sometimes demanding that their employers reveal commercially sensitive or private information. As you might imagine, it’s very difficult for leadership teams to strike a balance here between candidness and the overriding need for discretion.
It might seem an easy task to blame the employee(s) implicated in such a situation. However, 38% of privacy failures result from weak processes within a company. Most of the time, employees are simply not able to make an informed judgement call on their actions because they lack the necessary training and advice to be able to manage data assets.
All-too-often, the notion of managing data privacy conjures up images of Boardroom discussions and high-level conversations between risk officers and CEOs, but in reality it’s now fair to say that employees at every level of the organisation are in loco parentis of their businesses’ integrity.
Responsibility for managing and protecting data
The responsibility for managing and protecting data stored by a company falls into the hands of a number of front runners. Naturally, the Board of Directors, the information security and information technology teams as well as each individual employee play a key role in ensuring a company’s data is protected, but there are two roles in particular that are integral when it comes to leading the charge: internal audit and the chief privacy officer.
Audit should support the chief privacy officer by conducting tests to ensure that management has taken the following essential actions:
*There should be a process in place to track and interpret data privacy regulations as well as ensure that standards are consistently applied across the organisation (including by third parties)
*Clear ownership of key data privacy activities should be established
Audit ought to review processes related to the collection, storage, deletion and transfer of personal information and the processes designed to respond to requests for information by individuals. They must always ensure that relevant regulations and other appropriate standards have been embedded,
*An up-to-date response plan must be ready to be executed by trained staff in order to deal with data breaches
Auditors are providing too much assurance over well-controlled risks yet too little over unknown, or otherwise under-controlled risks. This serves to obscure the vision of longer-term potential data breaches which might not seem urgent but may well have disastrous repercussions.
Audit must consider various questions. When is it best to look into the data audits around a specific project? What evidence is most useful? How can they report on audit issues efficiently and ahead of time? When auditing through change, how might auditors appropriate the framework in which they’re operating?
Versatility and influence
The chief privacy officer’s role should be one with demonstrable visibility and influence across the entire business. However, businesses are not yet giving enough attention – or budget – to this position.
When leadership teams look to ‘revolutionise’ the privacy culture within their companies, they must ensure that their recommendations trickle down to every level of the business. The chief privacy officer is key to this knock-on effect.
In order to anticipate where employees might slip up and pre-empt breaches, chief privacy officers need to work with both the compliance and information security teams in creating easy-to-follow training and procedures configured to help employees understand not only the importance of privacy, but also how to ensure secure behaviour at all times.
In addition, injecting visibility into how the business leads and how its teams work will enable staff to envisage where an accidental disclosure or data loss might occur, in turn leading them towards more helpful privacy risk assessments.
Between them, internal auditors and chief privacy officers hold the key to seeing through the adoption of better, smarter and faster prevention of data breaches. They can assist employees at every level of seniority to see how their actions might have an impact on the bigger picture.
Brian Lee and Ian Beale are Practice Leaders at CEB