Professional Documents
Culture Documents
Guidance
Managing the Hidden
Causes of Data Breaches
Introduction
Think about it: each time a customer uses a store loyalty card, drives away in
a new car, or buys a pair of shoes, data is being collected, processed, and used
to predict their next purchase, develop a new product or service, or improve
a marketing campaign. Similarly, each time an employee clocks in, sends an
e-mail, or spends time on the Internet, data is being collected that could measure
his or her productivity, work habits, likelihood to stay, and even potential for
risky behavior.
In 2015 alone, customers, employees, and other users created about 7.9 zettabytes
of data globally. By 2020, that number is expected to reach 35 zettabytes.1 To
put that in context, if gigabytes were dollar bills placed on top of one another,
the stack would stretch to the moon and back almost five times. But its more
than just the growing volume of data; the types of information collected are
multiplying as well. Where organizations once gathered mailing addresses and
telephone numbers from their customers, new technologies now allow them to
track demographics, web histories, buying preferences, physical location, and
even biometric data.
For many executives, it can feel like more information is better. Unfortunately,
collecting a virtually unlimited amount of customer and employee data poses
a serious problem for organizations, as the amount of information they collect
often outstrips their ability to protect it. In 2014, 43% of companies experienced
at least one data breach.2 And the severity
of these breaches is increasing too; the
of companies experienced at
average total cost of a data breach rose
least one data breach in 2014.
this year to $4 million (a 13.6% increase
from 2014).3
43%
These numbers are especially scary given that 76% of information risk executives
believe it is now harder (or significantly harder) to prevent data breaches than
in the past. Worse, if the breach contains certain types of sensitive personal
information (e.g., social security numbers, health records, credit card numbers),
it can constitute a privacy failure, and additional legal duties are triggered that
could prove burdensome and invite increased regulatory scrutiny. And, of
course, theres the reputational damage; more than 90% of US Internet users
say they avoid companies that do not protect their privacy.
The Rising Cost of Data Breaches
Average Total Cost of a Data Breach
(in Millions)
= 13.6%
$3.5
2014
$3.7
2015
$4.0
10%
14%
24%
52%
Stayed the
Same
Significantly
Harder
2016
Easier
Harder
To further complicate matters, its not just data collection and use that are
rapidly changing; the legal and regulatory environment is changing as well.
Depending on where data is collected, stored, and used, companies can be
subject to multiple (and potentially conflicting) regulatory frameworks for
managing data. This complexity is made worse as many countries, including
the United States, have yet to establish an overarching framework for
governing data.
Countries that do have governing frameworks are creating strong enforcement
mechanisms. For instance, the recent General Data Protection Regulation
(GDPR) set forth by the European Union provides for substantial penalties
for violationsas much as 4% of global revenue. That said, the recent vote by
the United Kingdom to leave the European Union highlights the regulatory
uncertainty companies will continue to face; the United Kingdom must now
determine its own laws and regulations on governing information (which could
be even stricter than those of the European Union).
Rightly so, boards and senior executives have begun to focus more of their
time learning to balance the benefits of data with the costs of ensuring its
protectionparticularly data related to their customers and employees. An
overwhelming 94% of information risk executives stated that their boards
cybersecurity concerns have increased. The typical companys first step in
reducing the potential for data breaches is to invest heavily in firewalls and
new technologies to detect intruders. Indeed, the average information security
budget last year was $14.7 million, and that budget is expected to increase by
an average of 5% in 2016 (with almost half the companies surveyed expecting
their budgets to grow by more than 10%).
lizabeth Weise, 43% of Companies Had a Data Breach in the Past Year, USA Today, 24 September 2014, http://www.usatoday.com/
E
story/tech/2014/09/24/data-breach-companies-60/16106197.
3
Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis, June 2016.
2
The simplest way to protect sensitive data from hackers or rogue employees
is not to have it in the first place. Thieves cant steal data that isnt there. But
companies drawn by big datas tantalizing promises can collect too much
information in the hopes that they might be able to analyze it later. Worse,
companies often keep data long after its usefulness has passed; data doesnt
need to be current for a data breach to occur. Disposing of data properly is just
as important as collecting it.
In the end, collecting data for datas sake often creates more risk than reward
or more headaches than opportunities. Theres a difference between big data
and lots of data, and organizations need to constantly evaluate how they use
data and set clear guidelines on what data they collect and store.
Assess the Value of Data Relative to Its Risk and Costs
As most executives realize, the risk of a data breach must be weighed against the
potential return from using the collected and stored data. As such, leadership
teams need to determine their risk appetite for data collection and retention.
Assessing and evaluating the true value of data and the potential risk of a data
breach will help leaders set their data strategy and avoid collecting too much.
To establish a common data risk appetite and rules for data collection and
protection, executive teams should ask the following questions:
1
Too often, companies use a collect now, analyze later approach to information,
thinking that more information is always better. Instead, leaders should consider from
the outset how the information will further their corporate strategy and performance.
Some areas to consider include:
How the information will increase revenue or reduce cost, including specifics on
how the data will influence decisions or processes that affect critical outcomes like
sales and employee retention;
Potential future uses for the data, including advances in analytic methods or new
strategic directions for the company; and
Current internal initiatives the data could enhance, such as Marketings evaluation
of potential product launches or improvements to website traffic and brand
awareness.
2
In addition to understanding the datas value, leaders need to assess honestly whether
their organization has the skills and capabilities necessary to collect, manage, and
analyze the data. In reality, many organizations live in a world of data abundance
but analytics scarcity. The data science skills and analytic know-how required to tap
into high-volume data streams and apply that information in decision making are in
high demand and, in many organizations, newly emergent. Executives should ensure
they have a capable team of analysts and data experts ready to turn data into insight;
otherwise, the data may sit largely untapped orworsemisused.
3
How would the public react to the information we collect and how we use it?
10
Keeping all company information secure is important, but certain types of information
(e.g., health records, social security numbers, credit card numbers) require heightened
protection under specific privacy laws or regulations. Losing such sensitive information
can turn a data breach into a full-blown privacy failure. Companies need to address and
classify these information types and understand the oversight and compliance costs
associated with their retention. As noted earlier, the potential cost of a data breach
involving sensitive data can be substantial and must be considered when determining
whether the information will advance business objectives.
5
As mentioned, companies often keep data long after its usefulness has past. As
organizations adapt to the changing business environment, data collected from
previous initiatives can easily be forgotten and buried within corporate servers. Leading
companies are incorporating the data they collect into their records management
policies to ensure the data does not exist indefinitely. For instance, data from former
customers should be considered for proper disposal because a breach involving that
information could still trigger legal consequencessuch as the requirement to inform
all customers of the breach. Moreover, the customers information is likely outdated,
requiring a significant investment to track down current addresses and notify them in
the event of a data breach. Establishing datas shelf life is a critical step to minimize
the risk of a costly data breach involving low-value data.
6
Given datas various uses today, many employees will need access to the data or to the
results of the datas application. Fully understanding who will be working with the data
(especially sensitive data) can help prioritize risks and pinpoint potential breach points
more quickly. When determining this, leaders should identify who will handle the data
(e.g., IT, Marketing, HR), how they will use the data, and who might need continuous (as
opposed to one-time) access. In addition, steps should be taken to ensure employees
who dont need access to sensitive data dont have it.
11
How and why do employees put sensitive data at risk? Simply stated, employees
typically create a data breach in one of four ways:
1
12
13
58%
Unintentional Lack
of Awareness
45%
Intentional, NonMalicious Behavior
44%
Unintentional
Mistake
8%
Intentional, Malicious
Behavior
n = 2,230 employees.
Source: CEB analysis.
Perhaps believing employees want to do the right thing, companies spend most
of their time and budget focusing on the unintentional causes of data breaches.
Not surprisingly, leadership teams invest in either training employees on
privacy issues to increase awareness or implementing technical controls to
limit mistakes. However, its dangerous to assume employees are always willing
to comply with rules, and it diverts managements attention from what may be
an equally significant issue: intentionally noncompliant behavior. Our research
suggests that intentional, non-malicious behavior accounts for a substantial
percentage of data breaches. The uncomfortable truth is that employees often
know exactly what they are doing when they put the companys most sensitive
data at risk. We call these employee behaviors rationalized noncompliance.
Rationalized noncompliance occurs when an employee is aware of a policy
or requirement but chooses to ignore itnot for malicious reasons but for
personal convenience or what the employee believes is good for the company.
For example, an employee might send work files to his or her personal e-mail
account to finish a project after hours because he or she doesnt have a laptop.
Or maybe the employee disregards the information sharing policy because it is
too difficult to understand. Perhaps the employee doesnt believe anything bad
will come of such actions.
14
Not all work involves sensitive data. Identifying the key business processes
that collect, store, and use sensitive data will help determine where to design
controls and guidance directly into existing workflows. Natural places to start
include the processes for hiring new employees, creating new online services
and apps, and using mobile marketingall of which involve collecting or using
15
Application Development
Talent Acquisition
Talent Analytics
Website and User Interface
Development
Payment Transactions
Mobile/Individualized Marketing
Medium-Risk Business
Processes
Low-Risk Business
Processes
Social Media
Listening
Business Contact
Information
Business managers often have the best visibility into where privacy controls are
causing the most business drag. Involving them in the design and application
of privacy requirements increases their own privacy risk awareness and, at the
same time, allows them to be advocates of privacy compliance. Ensure managers
can provide input on how privacy requirements align with their teams work
and how the requirements are communicated. In addition, use managers to
identify the right formats and times for implementing privacy controls for
their teams. For instance, checklists and decision rules can often be helpful for
employees, but they might be irrelevant to wide parts of the business and, in
some cases, use terms employees do not understand. Working with business
managers will alleviate the use of privacy-specific jargon and allow employees
to ultimately get their work done faster.
4. Use a continuous improvement approach to align privacy
requirements and workflow.
16
17
Conclusion
18
Data is a strategic asset and must be managed as such. To truly reduce the risk
of a data breach that could derail a companys strategy or jeopardize its growth,
leadership teams need to understand that technology, while useful in stopping
hackers from accessing company information, does little to address how data is
collected, managed, and used. All data is not created equal, and protection of the
most sensitive data requires a corporate-wide effortincreasingly, protecting
data means changing work patterns and employee behaviors. Companies need
to ensure they collect only the data they need and can use to achieve business
objectives. And executives must pay attention to how data controls are perceived
and implemented, particularly by employees who are likely to view controls as
a burden or a barrier to completing their work.
Taking advantage of the wealth of available information to learn about
customers, develop better products, deliver service more efficiently, or better
manage the workforce doesnt have to be both a blessing and a curse. In fact,
establishing a more balanced approach to information governanceone that
complements technological controls with prudent and work-relevant privacy
policieswill allow companies to use information better while avoiding the
reputational and business damage of a data breach.
19
About Us