Over the last few years, massive data breaches have impacted millions of consumers worldwide, with Equifax, FedEx, Uber, the online travel site Orbitz, and other entities hard hit by cyber thieves. Meanwhile, the Department of Justice and the Federal Bureau of Investigation have launched an inquiry into data mining firm Cambridge Analytica amid the privacy scandal currently embroiling Facebook.
While it’s not certain if the investigation is related to Cambridge Analytica’s alleged ties to the 2016 campaign of President Donald Trump, Facebook’s recent drama represents an object lesson in how organizations and businesses must better govern the data entrusted to them, said cybersecurity experts interviewed by Crain’s.
If nothing else, Facebook losing control of user data has created a dialogue about privacy at a scale never before seen, noted David Wintrich, chief academic officer at Tech Elevator, a Cleveland-based coding boot camp.
“There’s been larger breaches, but with Facebook it hit closer to home for more people,” Wintrich said. “There was a direct impact on Facebook’s stock price and users leaving the platform. If businesses weren’t paying attention, they should have been.”
Facebook has claimed the recent breach wasn’t an actual hack into the system, providing cold comfort to the as many 87 million users whose data was gathered by a quiz app that siphoned information from the friends lists of its participants. The data was then supposedly packaged and sold in violation of Facebook’s terms of service to provide ad targeting expertise for the Trump campaign, representing a possible violation of American election laws.
Whether or not the Cambridge Analytica incident technically constitutes a breach — an allegation disputed via Tweet by Facebook’s chief security officer in March — it was certainly a breach in trust for millions of social media users with expectations of privacy. Regaining consumer trust requires a redoubled focus on culture, an element of data security that gets lost in hectic environments built on innovation, Wintrich said.
“Facebook is famous for its motto of moving fast and breaking things,” he said. “There’s a notion that they’re willing to tolerate bugs and rough edges in service of capturing market share. But if you break foundational infrastructure, it can be terribly disruptive. They weren’t exactly protecting user privacy.”
As physical safety and security are baked into the culture of most workplaces, data privacy should be treated with equal respect, starting at the C-suite level and trickling down into the rest of the organization.
“Leadership has to take ownership of that policy — they have to buy into it, live it and put teeth behind it,” Wintrich said. “(Facebook CEO) Mark Zuckerberg was culpable in creating a culture that didn’t put as much emphasis on that. You need a leader at the top of the company saying, ‘We screwed up and let’s do something about it.'”
Robert Eckman, recently appointed by Cleveland State University as executive director of the Cleveland-Marshall College of Law Center for Cybersecurity and Privacy Protection, encourages every organization to foster a company-wide culture of data privacy in the face of a growing threat landscape. According to a study from independent research firm the Ponemon Institute, the average cost of a data breach is $7 million, with an estimated one-third of companies globally expected to undergo some form of cyber assault within the next 24 months.
“When there’s these levels of data loss across the board, we’re going to see organizations focusing on security internally,” Eckman said. “That’s the necessary by-product of these attacks.”
Tools to combat malware and other online dangers are prevalent in business, but it’s the end-user that often poses the most imminent threat to data security, Eckman said. Without proper education, employees may unknowingly open phishing emails or click links to websites built to steal their info.
Hyland Software security evangelist Josh Gatka said “awareness training” in maintaining the privacy of personal information must be part of everyone’s job.
“Organizations should strive to train their employees, on a recurring basis, on how to handle the personal and private information of those that they do business with,” Gatka said in an email. “Training is typically supported with policies and audits that reinforce and cultivate a focus on data privacy and security.”
For companies entrusted with customer data, the first step is understanding precisely what kind of data they’re responsible for, Eckman said.
“A lot of organizations don’t know what their sensitive data is,” he said. “It could be electronic medical records or credit card numbers, but what about intellectual property? If you don’t know what you have, you won’t know how to protect it, and won’t be able to communicate that to your employees.”
An in-house data classification policy ensures this information is not only catalogued, but determines what channels it’s moving through as well. Eckman said all universities should form a data governance team that controls access to student records based on regulatory requirements from Family Educational Rights and Privacy Act (FERPA) resources. FERPA compliance outlines the acceptable use of student information, helping schools draft policies on software security or how to protect administrative network passwords.
“Companies should have strong internal policies on who can access what data, and how easy it is to access,” said John Nicholas, a professor of computer information systems at University of Akron. “Lots of companies are upping their game, pulling employees aside about making good passwords, or limiting through policy what sites workers can visit to eliminate back-door breaches.”
More organizations are also considering data quality, and whether it’s legal, ethical or appropriate to utilize certain types of data for a particular purpose. A company like Goodyear, for example, shouldn’t need a customer’s driver’s license number as part of its record-keeping process, Nicholas said.
The team making these decisions should be comprised of anyone with access to data, be it an operations’ manager, human resources official or IT expert, said Cleveland State’s Eckman. Study regulations carefully: The European Union’s General Data Protection Regulation (GDPR) is expected to bring about the biggest change to European data security in 20 years, a decision potentially impacting U.S. companies that collect personal data or other information from someone in an EU country. Dereliction of GDPR regulations could result in massive financial penalties of 20 million euros or 4% of a company’s global revenue.
“What’s driving the industry is not just being on the news,” Eckman said. “(Non-compliance) is going to have true consequences that will force companies to reassess their revenue structure as a result.”
If the Facebook scandal has taught companies anything, it’s that once their data is out there, there’s no getting it back. Just as organizations need to consider the quality of their data, they must also determine the uses to which they put their most vulnerable information.
“The bad guys are one step ahead and will remain so,” Eckman said. “So be careful what you share and how you share it. Be vigilant, aware and make sure to arrive at your own conclusions.”
This article was originally published by crainscleveland.com