By Dr. Nina Mohadjer, LL.M
Even today, more than five years on from the pandemic-induced exodus from the office, companies are still grappling to comprehend the risk to their crucial data that this event continues to present. Nina Mohadjer has some inside advice on this multifaceted issue.
Today’s businesses have numerous organisational priorities. They need to protect sensitive information and manage the liability of keeping data in a complex and dynamic environment. How organisations approach this issue poses challenges and opportunities across their entire digital risk spectrum, mostly as they need to ensure continuous operations and increase finance, while managing their human capital.
Poor data quality costs the US economy approximately $3.1 trillion per year (Petrov, 2022), while one in four employees believes that they can use a personal cloud server to transfer work from home.
Cyber-scams increased during the pandemic by 400 per cent (Petrov, 2022), resulting in software platforms pulling from sales and marketing activities (Harper, 2021), and leading to a recovery cost of $1,000 per backup tape (www.ironmountain.com).
Furthermore, research indicates that the number of data breaches involving remote workers will cost organisations more than $1.007 million more than other breaches (www.vpnmentor.com), while it brings into focus cross-border bandwidth, which grew 148 times between 2005 and 2017 (Botwright & Sen, 2019).
Considering that 60 per cent of the world has now passed data privacy laws while managing 100 TB of data (www.spiceworks.com), 40 per cent of companies do not have a defensible disposal programme in place. Thus, the data journey of organisations becomes a challenge across the entire digital risk spectrum.
Issues of Data Management
Cyberattacks and data breaches have increased tremendously in the globally connected world, leading to legal and financial complications. The stated number of data breaches costs organisations more than $4.24 million (www.ibm.com), while stakes are higher when private data is involved. This number does not take into consideration the disruption to an organisation’s operations and the cost of rebuilding, which includes reputational repair, loss of human capital, and increased marketing costs, which can lead to rebranding (Harper, 2021).
- Governance. Organisations need to consider digital risk management and intelligence services that bridge all phases of their data lifecycle. When they acquire other organisations and merge or upgrade their business applications, focusing on every aspect, they should not forget that all of these actions can have a profound effect on their underlying data and technology. If these two aspects remain unaddressed, they can degrade data quality and expose the organisation to additional risk. Their departments and team members are mostly focused on data governance and challenged by maintaining compliance with the increasing number of global standards and regulations. Thus, organisations need to understand their business processes when developing a strategy to reduce their risk factors while maintaining their operational efficiency (Bennett, 2019).
- Privacy and Security. Global privacy laws are increasing and becoming more complex while, at the same time, the tendency is for simplicity in the working environment, which, due to the pandemic, has become comfortable with many working from home (Saporito, 2019). The question arises of how organisations can balance both demands.
- Information Governance. Organisations are under pressure to effectively protect sensitive data. From intellectual property to credit card numbers, the collection of data automatically brings risks and makes the organisation vulnerable (Bennett, 2019). This vulnerability is not recognised by many organisations and they miss developing accurate data security and governance programmes to protect the data and, ultimately, themselves.
- Legal Department Services. These data breaches and security issues have an impact on legal departments and have demanded some legal transformation. They are asked to drive strategic priorities while helping to evaluate risk and opportunities and, at the same time, function effectively and efficiently (Dawson, 2016). Organisations and, particularly, legal departments are asked to create and subsequently implement operating models that meet corporate objectives and demonstrate legal operations.
- Risk & Compliance. Presently, organisations do not need to “just” pay a fine for data breaches or keeping their data in an insecure manner. Compliance breaches suppose reputational risk and lead to loss of customers and reduced share prices (Botwright & Sen, 2019, www.corporatecompliance.com).
The globally connected world brings people and organisations together on a different level than previously known. Business processes have been transformed and diversified, increasing the number of legal actions for data protection and cross-border issues.
Solutions
Risks remain. It is up to organisations to recognise them and remain resilient after damaging incidents. Organisations need to be prepared to implement an effective incident response, as it is essential to mitigate the financial and reputational setbacks, avoid legal and regulatory repercussions, and restore trust. They need to have multidisciplinary expertise and have a strategic approach to cybersecurity and data privacy challenges, while being able to respond to stakeholders and end clients.
Compliance breaches suppose reputational risk and lead to loss of customers and reduced share prices.
The incident response of an organisation becomes essential in evaluating their readiness. A data breach usually involves personal data and can have an adverse effect in terms of physical material and non-material damage for individuals. Before the message is communicated to the individual, the organisation has to notify the data protection authorities, evaluate the consequences of the data breach, and consider measures to address the data breach and its categories, while considering mitigation measurements and the number of exposed records. Incident response includes properly trained staff using the necessary technical tools while selecting and implementing the appropriate controls. Communication should include a proper cybersecurity incident response procedure to assist in an accurate and timely response before a breach has gained publicity. This includes the coaching of executives as well as media coverage.
Effective cyber-incident response depends on an organisation’s ability to react quickly. An organisation needs to calm customers down, control the narrative, and be visible in a humble manner. Immediately after an incident, organisations need to follow up with the customers and develop tailored communication and outreach strategies. It becomes an organisation’s main task to provide strategic counsel to customers and ensure that legal, financial, regulatory, and reputational implications have not been damaged. The organisation also needs to ensure stakeholder engagement, media relations, media monitoring and, last but not least, data breach notification and call centre services.
Teams need to be prepared to remove malicious code, actor accounts, and unauthorised access, and protect data from leaving the network in order to fix the present issues and prevent further damage.
Understanding the scope of the damage requires a comprehension of personal data in relation to global privacy laws. Data types have to be analysed while personal identifiable information (PII) has to be evaluated based on the risk and sensitivity categories in order to prioritise the notification strategy. Finally, organisations have to be able to recover from the damage by adding tools, technologies, and capabilities to ensure best practices (Harper, 2021).
At this point, I usually recommend organisations to conduct a gap analysis, which points up any shortcomings in a business’s performance. It evaluates whether business requirements and objectives are being met. Research determines the “gap” as that between where a business should be and where it presently is (www.techtarget.com). In the world of cybersecurity, a gap analysis refers to the point and time of IT involvement, as it indicates that the given gap needs to be “fixed” and eliminated to match the present status to the required one. Thus, it is an indicator for performance improvement. Different benchmarks can be used to perform the analysis, whether it is IT performance, customer satisfaction, revenue generation, or productivity.
The first step for a gap analysis is to determine target objectives. The organisation has to determine the goals based on the specific requirements of the project, department, and the mission statement of the organisation (www.pivotpointsecurity.com).
The second step is the present state analysis by collecting relevant data, for example how resources are allocated, what the present performance level is, whether documentation exists, what the key performance indicators (KPI) are, who the stakeholders are, and observation of the present activities (www.techtarget.com).
It should be mentioned that a gap analysis is taken into consideration when an organisation is performing a risk assessment. Additionally, a gap analysis should contemplate newly implemented technologies and data types and consider them part of the exercise.
Once both steps have been conducted, the organisation has an image of “Where are we?” and “Where do we want to be?” and can commence with the gap analysis and the strategic planning.
Furthermore, organisations could rely on numerous tools, such as Zabbix, which is used for numerous monitoring purposes, such as the health and integrity of servers, virtual machines, and applications (www.zabbix.com). As an enterprise-class open source tool, it allows users to receive email alert notifications for all events, which allows quick responses to potential server issues. Organisations can rely on the cooperation of Zabbix for capacity planning, as it demonstrates reporting and data visualisation on their stored data. This ensures the monitoring of the IT infrastructure in any given instance (www.oneibct.be).
Conclusion
Data increases as a byproduct of globalisation. It has become more difficult and challenging to keep an overview of where the data is and where it gets stored. Organisations are in a difficult position of handling everyday challenges and adding an unknown threat coming from the technology sector to their SWOT analysis. They are in need of dedicated technology teams who understand the ever-changing data landscape and know how to approach the safety, preservation, and collection of the new data types. Solutions need to be tailored to the organisation’s needs while teams have to have thorough experience in regulatory issues and reputation management. Furthermore, the times of a single department within an organisation have passed, as more subject matter experts in cross-functional services are needed.
While millions of fragments of personal data might be scattered across multiple data sources, it becomes challenging for organisations to reach and fulfil data subject notification requirements.
While new legislation and regulations may be formed around common principles and requirements, the regulatory burden for organisations is not a light issue they can underestimate. Globalisation also brings challenges such as local laws, culture, data use, organisational structure, and language. Organisations need to understand the global privacy and technical field, the culture of learning styles and IT approach, expectations of data usage, cross-border data transfers, and variations of consent requirements. It is also time that the main stakeholders understand and analyse their technology framework and infrastructure and challenge existing procedures.
An effective programme can reduce the pain points of implementing new procedures and analyse data privacy, while using the appropriate change management approach. Thus, organisations need to identify quickly where personal data resides, the data types and languages, and build the right methodology to avoid future incidents.
