MPact » Insight
Get Ahead of Emerging Cyber and Privacy Risks
By Adriana Gliga-Belavic, Privacy Lead & Cyber Partner
The challenges of managing privacy demands while adapting to pandemic and supporting a culture of continuous improvement.
- Now is the time to look at your data privacy program with a fresh set of eyes.
- Assess whether the areas of highest vulnerability and highest consequence are in line with your risk assessment.
- Ensure there is open communication between the top decision maker and the risk expert.
If data is the diesel that powers today’s economic engine, personal identifiable information (PII) is rocket fuel launching it to stratospheric heights. More data means more power, acceleration, and speed in the never-ending battle for engagement, influence, and market dominance.
But this comes with incredible volatility. Even a small leak can trigger an explosive chain reaction that can damage everything in its path. And yet, many organizations are failing to adequately manage growing —and increasingly consequential — data security and privacy risks.
And, in perhaps one of the cruelest twists of fate, the global pandemic presented a unique challenge which most risk planning activities or data models could never have predicted.
At the same time, governments are cracking down on how organizations collect, share and use PII. Canada just announced it will soon enact a new Consumer Privacy Protection Act with strict new data privacy requirements and some of the heftiest fines in the world.
Not only do Canadian organizations need to be aware of the new potential consequences for noncompliance at home, but they also must manage how to align their privacy policies, processes and controls against numerous similar laws around the world if they do business in or with people in foreign countries.
It is a good time for organizations to shift into high gear their activities around privacy to understand their risks and develop programs to enable the organization to use data in a responsible and ethical way. No matter the maturity of your current data privacy program, it is time to look at it with a fresh set of eyes.
TOP CYBER AND PRIVACY RISKS
Data breaches Organizations that collect too much information or don’t adequately protect the information they collect are particularly vulnerable.
Cyber fraud The more operations that move online, the more opportunities and means for fraudsters and cyber criminals to misappropriate information — and cover up their actions.
Rising third-party risks Organizations are responsible for the shortfalls of their vendors. Technology partners must meet or exceed stringent data security practices and standards.
Adapting to evolving regulatory demands Organizations need to stay informed about their obligations and continually adapt processes and procedures to avoid fines, penalties, and reputational damage.
Ensuring insiders manage risk effectively Employee awareness and vigilance is critical. It only takes one negligent technology or network user to compromise the whole system.
Demands for transparency Customers and employees need to be comfortable with how organizations are collecting, using, and sharing their information.
FOLLOW A RISK REDUCTION PATH
The following approaches will help ensure you stay on the right side of the law and may even point to new opportunities to safely add more fuel to your data engine.
1. Understand the impact Begin with an environmental scan to understand the specific privacy risks that affect your business and industry—particularly in light of COVID19. Prioritize these risks against a range of factors, including the:
- Types of breaches and attacks you’re most likely to face Systems and information that are most likely to be at risk of a breach
- Potential costs and damages of specific data falling into the wrong hands
- Costs and resources involved with protecting specific systems and information
- It’s not feasible, or even advisable to fortify the entire organization. Extra layers of security add extra costs. And information needs to flow to be useful. Focus on the areas of highest vulnerability and highest consequence and assess whether controls are prioritized and functioning in line with your risk assessment.
2. Provide training All team members must understand their roles in information security. Determine whether the organization is supporting a culture of knowledge and empowerment through ongoing training programs — and whether these are sufficiently coaching employees on general best practices, as well as your organization’s specific data management policies and procedures. Ensure the training is kept relevant to increase engagement and help address the specific risks various roles and departments face across the organization.
3. Overcommunicate Management should strive to make data privacy and security a regular topic of discussion across the organization. Build a culture where team members feel confident in calling out risky actions and blowing the whistle on unethical or non-compliant practices. Drive home the importance of secure technology practices at work and at home. Especially given that the two environments are now one and the same for many people.
4. Collaborate Build strong relationships with leaders across the organization and secure buy-in on the importance of data privacy and security. Each department will have specific objectives, priorities, and key performance indicators. Agility and adaptability are important, especially as organizations are responding to COVID-19. But quick decisions also need to be calculated and risk-based. That can only happen when there’s an open channel between the decision-maker and the risk expert.
5. Audit Continuously measure the effectiveness of security controls. There is still a place for exhaustive annual or semi-annual audits, but given the pace of technological and cultural change — especially those brought on by the COVID-19 pandemic — it's pertinent to more frequently ask these questions:
- Is the organization focusing on the right risk priorities?
- Where is the organization most vulnerable to data leaks or breaches?
- Are information management practices and priorities consistent across the organization?
- Is the organization in compliance with all policies, procedures, and regulatory requirements?
- Do employees understand their roles and are they handling PII appropriately?
- Has the organization adopted any new business models or technologies — and have these introduced new risks you need to account for?