As the AI era gains traction, new threats have appeared on the horizon, particularly with sensitive data. As organisations increasingly adopt AI, the volume of data has expanded exponentially. This is now fuelling concern over confidentiality and data integrity, among a myriad of others. But just what constitutes data risk? This usually refers to the risks that confront an organisation such as loss of value or reputation due to the challenges it faces with regards to acquiring, storing, transforming or otherwise utilising its data assets.
Even if e-commerce is not a core business, most organisations have websites that not only tell the world at large about themselves, but invite enquiries from the public who want to know more. In so doing, organisations can acquire large volumes of data. Little thought is consciously given to the data that such a presence requires, and the amount of sensitive data that one enquiry can generate – or the risks that emerge every time a user engages with the system. Technology has made it easier to access data but as a result, unprecedented risks have emerged in tandem.
Not all companies are aware of how vulnerable they are. As long as they deal with data, they will have to grapple with risks like confidentiality and cybersecurity, and the risks which come with social networking and the increasing use of social media technologies. Additionally, with the burgeoning of interconnectivity in the AI era, the risk arising from formerly ‘dumb’ electronic devices which are now ‘smart,’ is expanding faster than can be tracked. Cyber threats are real and growing; analysts actually believe that it is only a matter of time before every business experiences a systems breach.
Some of them may have already been hacked, but may still be unaware of it. Faced with these unpleasant possibilities, organisations need to be proactive about protecting the digital assets they hold, most of which may be in the form of sensitive data. They may have confidential customer information such as personal contacts, bank account and credit card numbers, home addresses, or even financial statements. How this information is used, stored and accessed must be considered when making assessments about the level of security required.
With an online presence now integral to the existence of organisations, and the volume of data that is inevitably generated as more people access information remotely, the risk manager’s portfolio has expanded in tandem. The handling of sensitive data and the emerging risks of the AI era are no longer the exclusive responsibility of the IT department. What this means for risk managers is that they will need to upgrade their IT-related skillsets to support a better understanding of related risks, and develop more effective ways of mitigating them.
Fortunately, it is not as daunting as it sounds because, as risk professionals, they will probably already have identified what constitutes a risk to the company, and be able to identify where system vulnerabilities lie. The organisation thus does not need to look for possible breach points, as these are already known, and solutions can be rapidly customised to the requirements of individual units or departments. In the event of a systems breach or hacking, disruption or denial of service will be minimised, and recovery will likely be faster.
With this in mind, companies should start developing a data risk management framework by determining what kind of sensitive data they have, and how secure it should be. They should also determine what electronic devices are being used to access secure company systems and networks. These electronic devices could be mobile phones, laptops, tablets etc that are utilised by staff either in the office or remotely in the course of performing their work. The Work from Home (WFH) phenomenon, in particular, has increased data risk.
In some cases, a large proportion of an organisation’s workforce may no longer work in a secure office environment. Instead, they access office networks and systems from remote locations which may be unsecured, thereby putting sensitive data at risk. Not only that, ransomware or malware may be planted in systems through these unsecured nodes, and go undetected for long periods until they inflict extensive damage by locking out or denying service to users. These can cause financial losses and reputational damage which the firm may find hard to recover from.
In addition to these risks, regulations for cybersecurity and data risk are becoming more stringent, making compliance harder. Heavier penalties have been mandated for unreported breaches, for instance, and Boards can be sanctioned for dereliction of governance and fiduciary duties. Identifying sensitive data that is at risk requires an understanding of what the data is, how it is applied, and the consequences of infringement of its integrity. Part of the challenge here is the fact that there is so much data to begin with, and more is generated every second.
Even data storage has been growing more complex, with organisations increasingly utilising cloud computing, which has also taken off in the AI era. Many firms put their sensitive data in secure, cloud-based locations, but this may lead to complex situations that are more difficult to mitigate. Organisations may find themselves becoming collateral damage when other cloud-sharing businesses are targeted by hackers. Using cloud-based systems means having reduced visibility and control over your data, which, again, could lead to disruption and denial of service.
As with physical risk, assessments have to be done for risks to digital assets as well. Gaps, shortfalls and weaknesses in the firm’s management of its data must be identified, and the appropriate technology be applied for mitigation. If they have not already done so, companies can start the process of identification by documenting the way data is collected, processed and stored. They should make sure that the data leaves a trail that can be followed so that regulatory compliance becomes easier and more transparent.
