Updated: Jan 27, 2020
Increasingly, a company’s bottom-line depends on how well it uses the vast amounts of data available, and, paradoxically, some of the greatest risks to that bottom-line also arise from the risks associated with using and retaining that data.
Consumer-facing companies, for example, generate value not just from serving consumers directly, but also from analyzing consumer data to find new products and services to improve their customers’ experience. Staying abreast of customers means holding onto some data and that retention represents a significant risk to those companies. The financial and reputational costs of data breaches can quickly swamp the value the data provides unless the right balance is struck between retention on one hand and data reduction and protection on the other. IT organizations are typically charged with managing these risks and have to align their work with core business practices to strike the right data management balance.
IT organizations often manage hundreds of integrated applications each with their own risk profile. Boards, CEOs, and CIOs are determined to keep growing while minimizing risk. Some of the riskiest data collected by companies is PII (personally identifiable information). These data include things like driver’s license information, social security numbers, addresses, and telephone numbers that are often critical to the business and play an outsized role in customer analytics.
Unfortunately, our most valuable data is often the most risky to store and process. These data are also at the heart of new data privacy laws like CCPA and GDPR that require organizations to properly manage the risks associated with personal data. Increased regulation means that getting data risk management right is even more important than before.
The mechanics of finding consensus around how to tackle these risks will vary depending on the industry and specifics of any organization. Industry-specific regulations and company-specific business processes make for a diverse risk management landscape. Here are a few generalizable tips and tricks derived from our experience helping many organizations undertake this task:
Avoid the “Weekend at Bernie’s” problem - Credit card numbers, government-issued identification, and other sensitive data is necessary for one-time business processes. Organizations often store these sensitive data to provide customers with convenience and to facilitate repeat transactions. It’s easy to keep these data too long to where the risk outweighs the business value. We’ve found through workshops and surveys that frequently used marketing data is most useful in the first two to three years after collection, but some organizations keep data so long that it outlives its owner. Sid Kirchheimer writes in the AARP bulletin that some 2.5 million deceased Americans have their identities used for fraud. While people may live into their 90’s and beyond, many organizations have more data belonging to our oldest demographics than statistics would suggest. Don’t keep your storage filled with data that is outliving your customers!
At least make hackers try - Valuable customer data is too often poorly protected. Encryption and other data protection methods must be deployed to reduce information risk. If a business really needs those social security numbers, you should do more than apply a simple hash. Encrypt and properly manage your keys. In addition, ensure systems are patched so breaching and compromising these data is more difficult than reusing known exploits. While these seem like simple things infoedge has seen organizations fail to take these basic precautions time and time again. In 2019 the Education Department in Maryland was found to have stored 1.4 million student social security numbers in plain text on unpatched servers, and many private businesses are not much better at rigorously protecting sensitive data.
Separate the information from the data – A simple way to reduce information risk while maintaining some data for business use is to reduce data fidelity when possible. For example, the full date of birth (e.g. day-month-year) can be replaced by month and year or just year while maintaining its marketing value (e.g. demographics). Often data users -- especially Data Scientists like us -- may balk at this. Determining where to reduce data fidelity is a vital data science project from which security and data analytics experts can jointly demonstrate value to their organizations.
Trust but verify - Third-party applications and vendors frequently need to collect and store data to provide needed services and capabilities. However, they often end up collecting more data than necessary or holding onto it longer than needed. Combine this data glut with the fact that nearly 60% of security professionals believe they were compromised by third-party partners, and it becomes obvious that good vendor management is imperative for managing data risks. Have clear data governance requirements baked into all vendor contracts from the start. Organizations must also choose and ensure an appropriate level of due diligence prior to contracting vendors as well as standards for auditing these suppliers’ data management practices. Unfortunately, PwC found that only 46% of companies required third party partners to comply with privacy policies or even audited their vendors. Managing third party risk can seem daunting but infoedge can help by taking a risk-based approach to addressing the risk debt companies have accumulated and focusing on the vendors with the most data exposure first.
Prepare for the future today – Mobile apps and automation open new ways to collect and use data, but they also increase data risk faced by organizations. Customers can upload driver’s licenses and other documents with a cellphone or complete sensitive transactions with the help of an automated kiosk or online application. Companies should consider how these new channels change the quantity of data collected and how automated systems should be properly monitored to ensure that data integrity and security is maintained.
As CCPA goes into effect and the scope of potential GDPR fines comes into focus this year many organizations will begin to have conversations about how to manage the risk associated with the collection and use of data. Additionally, 2020 is bound to see further advances in AI and advanced analytics. This will increase the need for organizations to better utilize data to grow or defend their competitive advantage. Against this backdrop, it is critical to get the basics of data governance right. Do more than develop a strong data lifecycle and data policies. Ensure that the management of risks associated with your data is at the core of your governance strategy.
To learn more about how to manage your data risks contact us.