New technology, such as artificial intelligence (AI) and cloud-based storage, is fuelling concern over data risk. But what constitutes data risk? This usually refers to the risks that confront an organisation such as loss of value or reputation, due to the challenges it faces with regards to acquiring, storing, transforming or otherwise utilising its data assets. It’s a rare organisation that doesn’t have a virtual presence nowadays. Even if e-commerce is not a core business, organisations tend to have at least a website that tells the world at large about itself, and invites enquiries from people who want to know more.
Little thought is consciously given to the data that such a presence requires, and the amount of data that one enquiry can generate – or the risks that emerge every time a user engages with the system. Technology has made it easier to access data but as a result, unprecedented risks have emerged in tandem, and not all companies are aware of how vulnerable they are. As long as they deal with data in one form or another, they will have to come to grips with the risks that inevitably arise. These risks include confidentiality and cybersecurity, among many others. Social networking and the increasing use of social media technologies is one, as is the risk arising from the growing use and interconnectivity of electronic devices.
The rise of hacking not just by script kiddies but seasoned, mercenary government-backed agents, is another. Corporate espionage, malware and ransomware, issues connected with electronic data management and cloud computing are also causing sleepless nights for CIOs, CTOs and CISOs. Companies can start developing their data risk management framework by determining what kind of data they have, and how secure it should be. Do they have confidential customer information, for example, such as personal contacts, bank account and credit card numbers? How these are used, who has access to them and where they are stored, all have to be considered when making assessments about the level of security required.
Internally, firms have to determine what electronic devices such as mobile phones or personal laptops are being used to access secure company systems and networks. Policies must be set in place to determine who has access to critical business data. There is also the issue of cybersecurity amid global pandemic conditions to deal with, especially with the rise of the Work From Home (WFH) phenomenon. In some cases, more than three quarters of an organisation’s workforce are no longer working in a secure office environment. Instead, they need to access office networks and systems from remote locations which may be unsecured, leading to increased data risk.
Systems become more vulnerable; loss or corruption of data may become more frequent, and hacking or breaches may occur – sometimes even without the knowledge of the systems administrators. Ransomware or malware may be planted in systems, and go undetected for long periods, until they inflict extensive damage by locking out or denying service to users. These can cause financial losses and reputational damage which the firm may find hard to recover from. In addition to these risks, firms now have to deal with tightening regulations for cybersecurity and data risk that are making compliance harder, with greater penalties for unreported breaches, for instance, and even sanctions against the Board for dereliction of governance and fiduciary duties.
One of the biggest stumbling blocks when it comes to setting checks and balances for IT systems and identifying data that is at risk, as well as risks that are data-connected, is the lack of understanding of what the data is, how it is applied, and the consequences of infringement of its integrity. Part of this may be attributed to the fact that there is so much data to begin with, and more is generated every second. For instance, biometric data could be used for identity theft to commit fraud. Even data storage has become increasingly complex, with organisations using cloud computing. Where does such data reside, and what if the data storage provider experiences a disruption?
As with physical risk, assessments have to be done for virtual risk as well. Gaps, shortfalls and weaknesses in the firm’s management of its data must be identified; only then can the appropriate technology be applied for mitigation. If they have not already done so, companies can start the process of identification by documenting the way data is collected, processed and stored. They should make sure that the data leaves a trail that can be followed, so that regulatory compliance becomes easier and more transparent. Careful documentation implies more robust internal controls and security measures. How data is safeguarded and who has access to it, are also important.
What has become top priority with the management of technology and data risk, is privacy – and the responsible, confidential, ethical use of data. Organisations which identify and protect core data assets, and set mitigation measures in place to deal with the risks that arise, will be able to successfully create value and opportunities for themselves. The post-pandemic New Normal will see more organisations getting aboard the digitisation bandwagon, and the business environment will likely be more data-driven as never before – and more regulated. Firms that strike a balance between managing their data assets and data risks will be on course for sustainability, competitiveness and growth.
