Most data breaches send tremors throughout the industry, but a recent hack has left the business world positively quaking. In June, Reddit, one of the world’s largest websites, reported two attacks. The first dated back to 2007, the second which affected logs and databases linked to Reddit’s daily digest emails, had only just happened.
The most worrying aspect of this breach was that the hackers broke into employee accounts that were protected using SMS two-factor authentication – a security process widely accepted as good practice.
While it’s too early to assess the damage to Reddit’s reputation, there are several companies that know only too well the negative impact such an incident can make. An £18 million fine by the SEC was the least of Yahoo’s worries when almost three billion Yahoo user accounts were compromised. Mid-acquisition, they found themselves £270 million worse off as their buyers Verizon cut the deal.
The Facebook/Cambridge Analytica scandal shows the potential damage when the use of data becomes out of control. It involved the unauthorised use of personally identifiable information of up to 87 million Facebook users. While the data was harvested through permissions from a third party, questions were raised about how the data was provided to Cambridge Analytica and what rights they had to use it. Since then Facebook shares have dropped 8.5 percent and polls showed a 66 percent drop in consumer confidence in Mark Zuckerberg who was subjected to US Congressional and EU scrutiny.
The lesson is that the entire extended data supply chain must be carefully managed – and not just for the regulator either.
Organisations must know the location of their data, what permissions surround it, the requisite level protection, be immediately aware of when it has been breached and know the population of individuals involved.
A successful company can often quickly recover from the financial setback of a one-off fine. Reputational damage is different, especially when customers lose their trust in a brand. The financial impact is felt for a long time – not just directly through loss of business, but also through a drop in market value.
Technology can help enormously in creating the transparent environment required for compliance and to help organisations build a thorough knowledge of their data to quickly identify abnormal activity. Automated discovery and data lineage creates and maintains transparency into processes and the data being managed. Reporting supports an "audit ready" position so supervisory authority inquiries can be answered without a fire drill, while data intelligence change detection prevents new problems from sneaking in.
A data catalogue ensures that any user can easily access data as needed. A software-driven or intelligent data catalogue can locate even the most complex data, ready for analysis and decision making. This will enable users to spot personal information amongst new data and a data lineage version comparison alerts them to changes in how that personal data is handled.
What data a company chooses to collect, store and discard very much depends on the sector in which they operate. However, there are some steps that almost any company can take, such as capturing the information only directly related to its product or service and keeping it in a limited number of databases.
When it comes to specifically storing sensitive data, simple actions like avoiding generic passwords and applying guardrails is crucial.
Technology solutions such as data intelligence can go a long way to providing peace of mind here. Intelligent Data Analysers examine data and metadata to promote comprehensive understanding, including detailed automated data lineage for insight at a deeper level.
Process maps that show how protected data moves through the organisation are critical not just for compliance but also to acquire the kind of data awareness needed to be on top of potential incidents. These can show where data is vulnerable and if and how it moves to outside processors or outside protected areas. For compliance purposes, the company will need to record that protections are in place through model agreements and binding corporate policies.
Seeing all these moves as best practice, rather than compliance tasks, will help bring greater understanding and a deeper knowledge of your organisation’s data assets. The only way to deal with the threat is to do everything possible to reduce the risk and then ensure there are ways to prove the measure taken and fend off the worst effects. This way both financial penalties and reputational damage can be minimised and contained.
Contributed by Jesse Canada, enterprise data management lead, ASG Technologies.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.