By Phil Beckett, MD, Alvarez & Marsal
Technology is a part of our world which is constantly in flux, changing and evolving at a pace which we haven’t witnessed since the likes of the industrial revolution. The past 20 years has seen society flipped completely on its head: social media and smart phones are now commonplace on a global level, and access to the internet has gone from being a luxury to bordering on a basic human right.
However, this comes with a price – and that price is security. All the technology and digital communication methods we use leave data trails behind them, collecting enormous amounts of information about who we are, what we do, and how we communicate. We are sending and receiving knowledge at a faster rate than we ever have before – and with Facebook announcing the development of things like mind-reading technology, this is only set to increase. Unfortunately, this will not come without consequences.
We need multiple devices – such as laptops, tablets and phones – just to do our day jobs, and these all possess lengthy and sensitive data histories. On top of this, many employees have personal phones which are brought into the workplace on a day to day basis. These devices also come with huge amounts of information: with the problem being that this is data which isn’t logged by businesses. This opens up the possibility of rogue records being shared unwittingly or left largely unmonitored by people and organisations who may want to protect them.
This presents firms of all sizes across every sector with a problem: how can the data coming in and going out of the business be tracked?
In reality, it is becominga near impossible challenge for firms to successfully monitor all of their data (and what exactly is being done with it) without complex sets of rules that can be stifling and stringent. Guidelines about how employees utilise technology – and even their social media accounts – are now extensive and commonplace. The consequences of such rules being broken were highlighted recently in the widely-reported Financial Conduct Authority (FCA) case: a former employee was found guilty of passing confidential client information to a personal acquaintance and friend using Whatsapp.
According to the National Security Agency (NSA), the former employee “received client confidential information during the course of his employment and, on a number of occasions between 24 January and 16 May 2016, shared that information with both a personal acquaintance and a friend, who was also a client of the firm”. Essentially, the NSA found that an employee shared private information with a friend in order to gain social capital. Worryingly, this was not a junior employee seeking a pay rise or behaving in a juvenile manner due to inexperience. It was a senior executive in a leadership position, who is now facing a £37,000 fine as a penalty for the breach.
Obviously, this case is highlighting quite an alarming issue. All of this information was passed digitally, through an app that the employee’s company did not have access to. If that employee had been asked to pass over hard copy documents of this information, would he have done so? Or is there a perception that sensitive information is less important when it’s transmitted via email or social media, instead of a hard copy? Although we may view digital communication as a more casual medium, the content is still going to be the same, and this issue needs to be addressed quickly.
We are aware from the media that data threats are almost omnipresent – we encounter new ones each day. Thus, the implications of how poorly organised and monitored data can contribute to these threats must be recognised. As the General Data Protection Regulation (GDPR) comes into action next year, there will now be formalised rules around how firms should be utilising data. Businesses must therefore put controls into place to ensure their data is stored in a compliant manner so that it is safe from abuse and protected from penalties or leaked information which could hurt their finances and reputations.
But how can this be achieved?
Most firms, unfortunately, keep data as an afterthought at best, with mismanagement being commonplace. This can thankfully be resolved by advising the implementation of templates and processes which dictate how data can be utilised by businesses without being manipulated or misused. Audits and detailed analysis will also be required to determine the exact data that businesses are holding, outlining who has access to it and if there is any potential for abuse to take place.
Auditing – identifying the potential risks
A large challenge for most firms is figuring out what data to keep in their information libraries, and what should be permanently erased. Names, addresses, employment, legal history or payment details are usually necessities – however this can create huge amounts of information which takes up lots of space. This will generate issues when ensuring safety and locating specific data sets, particularly if data goes back for many years and is held across multiple locations.
It’s also not unusual for large amounts of data to be sent across multiple mediums of communication, and stored on multiple servers and data bases. There’s also the issue of information extracts which people will make from databases as and when they need them. This creates issues around duplication (such as customer information) – valuable information can be forgotten about easily when multiple copies exist. This obviously creates wastage in terms of value, from both a financial and time perspective.
This is not how proper data governance should be. Information should only be held in one, secure location: this is the only way to allow for the presentation of accurate and accountable material. Dissipated data is a nightmare in terms of both legality and time wastage: if data exists across multiple platforms, and must be located quickly, it can create a black hole in terms of resources.
What it means moving forwards
As demonstrated by the widely reported Whatsapp case, tracking how sensitive business data is utilised is another difficulty for data management. Tracing who is accessing what data is difficult, as while some data may be confined to different parts of a business (such as HR or finance), other sets of data can be readily accessed by a broad range of people across an organisation. This can sometimes be the case in client facing firms, with client teams that have varying levels of seniority clearance to view budgets and sensitive information. Whilst you would think non-disclosure agreements (NDA) would cover this issue, what’s to stop an employee Whatsapping information to a friend? The fact a prosecution has now been made is the first public example of social media being utilised to transfer sensitive information to external personnel.
How can we know that this is the only case? The fact that this instance has come to light suggests there are potentially other, undetected cases of employees transferring data in and out of businesses via various digital communication mediums – of which we now have many to choose from.
Businesses can no longer afford to ignore this issue and must take action to safeguard their data. Employing technologies and techniques such as Data Loss Prevention, periodic forensic analysis of devices and regular and robust analysis of relevant network logs can help firms to identify who is accessing what data and how they are accessing it. Following this analysis, organisations can begin to develop rules about who is able to access certain data sets and how it can be utilised both internally and externally.
When it comes to data access, there should be restrictions around accessibility to sensitive data, with a clear chain of command in terms of approving employee access. This procedure can also help to flag deadweight data which either has no further use or is simply being stored for historical purposes – allowing for deletion to save space where appropriate.
Keeping a close eye on what data is being accessed and how will be key for firms moving forwards. The FCA Whatsapp case highlighted the ease with which employees could access sensitive information and pass it to an external person. The worrying truth is that far worse cases could be going on. Firms could be blissfully unaware of damage being done under their noses, as the data governance they are undertaking does not allow for proper prevention. Data can no longer be overlooked in terms of the legal threat it poses: we must begin to treat it as the “gold dust” it truly is by recognising it as equal in importance to financial information.
Making sure that data access within an organisation is closely monitored will be key for firms moving forwards if they wish to comply with data regulations as they stand.
My advice would be as follows: When it comes to data, take action, take care, and take it seriously.