If data is the new oil, how do you manage digital risk?

The recent Netflix documentary ‘The Great Hack’ showed how only a few individual used data to undermine the lives and rights of millions, if not billions of people. We talk to Grant Thornton’s Mike Harris about whether business owners have learnt anything since Cambridge Analytica.

The infamous Cambridge Analytica scandal that saw tens of millions of Facebook users’ data mined to influence pivotal political events from Brexit to the election of Donald Trump brought to light how data is now the most valuable resource in the world, beating oil.

Watching The Great Hack, however, it is clear that until now the early-movers in this digital age cared more about earning profits than reflecting upon the impact on the lives of those people who have to live with the consequences. What was particularly frightening was how the rogues’ gallery of players in the Cambridge Analytica affair consisted of just a few people working in politics and tech and how easy it was to game or manipulate sentiment using a few clever tricks.

“It is not just a technology thing, it is a risk management issue. No matter what size your organisation is, you need to think about risk”

While Cambridge Analytica occurred before GDPR (General Data Protection Regulation) became law across Europe – thus saving Facebook potentially billions of dollars in fines – what have we learnt since then? And how tuned in are business leaders to the responsibility they hold over the rivers of data they are now collecting and are responsible for?

Mike Harris, cybersecurity partner at Grant Thornton explained how businesses of all shapes and sizes are trying to carve competitive advantage by leveraging digital information. Where this gets tricky is when businesses like Google or Facebook cross the line when it comes to using our personal data. Crucially, gathering all of this data only highlights the interdependency of privacy and security and the vulnerable position it puts businesses and private individuals in.

Has business learnt anything at all since Cambridge Analytica?

Grant Thornton recently released its International Business Report, surveying business leaders around the world, who have said that overreliance on software is their greatest weakness in managing cyber and privacy-related threats. And only 28pc of business leaders feel highly satisfied with their ability to protect against a severe data breach.

I put it to Harris that more than a year on since news of the Cambridge Analytica scandal broke in March 2018 and also more than a year since GDPR became law across Europe in May 2018, has the business community or more specifically the digital giants learnt anything about the responsible use of software and data analytics?

Harris said that the pervasiveness of technology to a personal level in terms of smartphones and internet activity means that organisations are using data analytics to gain insights into what people are doing, what they are buying but also what they are thinking from a political perspective.

“What we saw with The Great Hack and Cambridge Analytica (CA) is that CA was taking techniques that have developed over time from a targeted advertising perspective and was applying them to the political world. And we still haven’t really thought about whether we as a society or a government or whatever are comfortable with that.”

Harris said that while the European Union has been at the forefront of legislating for data protection and empowering data protection regulators, the problem ultimately boils down to how targeted advertising has become part of our lives.

He pointed out that while one hand we are comfortable with Amazon suggesting things we may want to buy, we are equally creeped out if we suspect our phones are listening and suddenly ads about what we were talking about suddenly pop up on our screens.

Crucially, it boils down to trust. And when it comes to data as a resource, companies need to be honest with their customers or users.

“The problem is that lack of transparency and understanding. Is the organisation clear about what they are doing? Does the organisation at all levels or especially at senior level understand what it is doing and then have they thought about the regulatory piece? You need to be clear what you need to do, you need to understand exactly what you are doing, you need to consider the risks for the privacy of the individuals involved.

“With CA it was started by a survey app that not just gathered data on the people that consented, but also people in the network who never consented.”

The frightening thing about CA was how the whole issue transcended giant tech companies, political consultancies and political parties with little accountability from anyone.

“What The Great Hack revealed is that while some of the people involved didn’t understand what they were at, some did. Some of those doing it didn’t know it was potentially illegal and that’s an organisational failure in terms of culture, that the focus was more on the commercial side than managing regulatory requirements.”

Does GDPR not focus the mind?

The onset of GDPR – which comes with fines of up to €20m or 4pc of global turnover, whichever is greater – should focus the minds of business leaders at all levels.

Ideally, it should create a scenario where a business owner-manager can no longer hide behind ignorance about technology.

But there is a balancing act between innovation and morals, technology versus regulatory compliance. And if so, how do we prepare the business leaders of tomorrow who have to compete by being innovative in a world where data is the new oil.

“Tech companies are relatively recent organisations. The whole concept of corporate governance, understanding and directing what goes on in the organisation, the regulation around that is already a fact of life in financial services. That’s only beginning to start now in the tech world.

“And there are also philosophical differences between different jurisdictions about how they want to do this. In Europe, it is about heavily regulating this stuff so that decisions can be made around the technology and it can be understood. The US might argue that you are going to stifle innovation.

“Privacy is a problem that hasn’t been sorted out but is going to be the battle ground in the next 10 years in the tech world around how you manage it and regulate it.

“That ultimately will drive a compliance culture. This is the transition that the financial services industry has already gone through, its regulators have teeth. I think you will see something similar from a tech perspective, but the challenge is going to be how do you balance the need to regulate and manage privacy and at the same time allow innovation in a reasonable way as well. A lot of the innovation that happens is at that boundary between the data, what you can get out of it and applying tech to make better decisions.

“Social media is now. But how do you regulate, what is reasonable for organisations or political parties to do as part of that? We’ve seen the extreme examples of what could happen in the UK around Brexit or the elections in the US.”

You will know when it happens to you

Crucially, this all filters down to what ordinary businesses are doing with the technology, the data and the desire to innovate and be relevant.

Harris said that ultimately business owners need to realise they are in the 21st century and digital is here to stay.

“A business owner who has an old website and who doesn’t see the need to update it or protect it adequately, for example, could very well find that one day it gets hacked and all of a sudden they are surrounded by law firms, forensic investigators and are suddenly €20,000 in the red, in the newspapers and face massive fines and reputational damage. All because they felt tech wasn’t their bag. A lot of organisations are only beginning to learn the hard way. The smarter ones are getting ahead of it and that is the challenge for Irish organisations.

“It is not just a technology thing, it is a risk management issue. No matter what size your organisation is, you need to think about risk.

“A lot of the issues you see in organisations are actually to do with the decisions people make when dealing with technology. It could be a business decision or down to an individual deciding whether to click on a link or opening an attachment.

“Technology can help but the problem is educating people within the organisation to do the right thing and to be conscious of the risks when they are dealing with technology.

“People think that once they’ve paid for their anti-virus or their firewalls they are okay now, you are actually not. It is actually the decisions that people make using technology are the biggest cyber risks to organisations at the moment,” Harris warned.

Click here to learn how to take your business to the next level


Written by John Kennedy (john.kennedy3@boi.com)

Published: 5 September, 2019