Organisations across the board are slow to recognise that the data that is now fundamental to their operations has also opened them up to huge risks and vulnerabilities.
As a result, companies are failing to factor in basic data protection and cyber security infrastructure into their decision making at the highest levels.
The costly consequences of organisations’ appetite for data without implementing adequate safeguards have been evident in legislative penalties imposed by various governments on some of the world’s biggest corporations for failing to protect customer data and privacy.
In the Navigating Privacy and Law episode of the Bridging the Cyber Divide series, Mike Trovato, managing director of Information Integrity Solutions and lead security advisor and Internal Consulting Group’s global practice leader for cybersecurity, said the past year had seen Google fined €50m by the French regulator, and the UK regulator fined British Airways £183m and Marriott International £99m.
“It was good to see regulation having some teeth,” he said. “It got everyone’s attention and is getting people to take this more seriously, and to take important actions with respect to privacy and security.”
Meanwhile, competitive pressures and opportunities are driving organisations to gather more and more data. Thomas Fikentscher, regional director ANZ, at CyberArk, said organisations were struggling to put in place the policies and procedures needed to handle the data being collected to serve business initiatives.
“Organisations need to find a way to shift their revenues online, but that comes with risk. They must collect a lot of data, and not just personal data. The problem is that they can only use that data for certain purposes, for example can they share it with their supply chain?
“That part of the equation is not properly set into policies and measured against certain standards around privacy, data security and data access. It’s an area where we need to have a lot more discussion; where there are many more risks that need to be measured and need to be managed.”
Mr Trovato said compliance with data regulations was now one of the biggest challenges facing businesses – the danger has gone beyond simply a failure of compliance to represent an existential threat to organisations.
“The compliance issue is multifaceted and complex – it’s difficult to overlay it onto an organisation,” he said. “And there is a broad set of issues around shared risk – where what I do in my organisation can impact your organisation, and so forth. We’re really looking at an entire ecosystem.”
He said consumers had a right to expect businesses to do more to protect their personal data. “We have the expectation of safe vehicles and safe aeroplanes and so forth. But for some reason, in the area of information technology (IT), we expect the consumer to take a significant responsibility in managing the safety of our products. I think the world of IT has to do better.”
Mr Fikentscher said organisations had been slow to implement security commensurate with the risks created by their hunger for data.
“We’re still in catch up mode,” he said. “Organisations want to move ahead, because of the business opportunity.
“Retail organisations, for example, collect a huge amount of data – they’re giving out loyalty cards, trying to understand who you are, what are your preferences, and monitoring your behaviour when they offer you certain things. They’re collecting all this information because it’s all about creating new digital experiences.”
He said that by doing that, and by being more reliant on the technology, they are creating an increasing amount of risk for their businesses, because a single breach – that gives someone access to that data – can severely disrupt them.
According to Mr Fikentscher, the data security and liability should be standing items on every company’s monthly board meeting.
“Security considerations should be part of digital transformation initiatives from the beginning, but it is still not front of mind for most people. Revenue is the driving factor, but revenue could be severely compromised if they don’t get cyber security right.”
Mike Trovato meanwhile said his own investigations had revealed many examples of very poor data security.
“I’ve gone into organisations and tried to see if they are leaking personal information, or if I can obtain it through an attack. Almost every organisation fails both those tests. We need to do a much, much better job to protect information.”
There are some signs of progress, according to Mr Trovato. “We are seeing organisations that are a bit more forward thinking and doing some good privacy-by-design work, leveraging legislation. For example, the legislation around the Commonwealth COVID app is probably the strongest privacy legislation in the world.”
A key pillar to Australia developing a robust cyber security industry is the mechanisms used to rigorously protect citizen data and information, both at a public and private level.
The increased reporting and disclosure of data breaches and identifiable information, locally and globally, has kept a focus on data privacy but there’s a lot more work that needs to be done.
The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.