Best practices for data risk management
Data can be a tricky business. While it’s crucial to firms and businesses around the world, it comes with a whole host of risks that threaten to damage companies.
Think of Facebook, for example. Earlier this year it was reported that over 540 million records were posted publicly for everyone to see. Compromised data included people’s user IDs, comments, reactions, and account names, hence data risk management.
This was hot on the heels of an attack last year that exposed data relating to almost 50 million of the social media giant’s users. If that wasn’t enough cause for concern, just this month it turned out that the phone numbers and Facebook identifications of 419 million users had been stored on an unsecured server.
The company has already been hit with a record-breaking $5 billion fine for its security breaches. On top of that, it has damage to its reputation to contend with. We live in a world where people are sharing more information than ever before. Companies that are seemingly incapable of protecting this data are being viewed in an increasingly negative light. It’s therefore imperative that firms take all the necessary steps possible to protect important data.
The following article, analyses what data risk management is, the potential risks, and the best practices for managing those risks.
What is data risk management?
Data risk management is the way in which organisations handle the data they are responsible for and ensure that any risks are kept to an absolute minimum. This includes the way the data is acquired, processed, stored, and used for the entire time it is under the control of the organisation. Some of the main causes of potential risks are:
Inadequate data governance
Data governance refers to the rules and policies an organisation has in place for the management of any data. Without robust governance, businesses could end up with a mishmash of disorganised data that will make regulatory compliance a minefield. For example, the General Data Protection Regulation (GDPR) introduced a ‘right to be forgotten’ when it came into effect last year. However, if businesses don’t know what lawful bases for processing data they have and where to find it, they cannot guarantee that it’s all been removed. This could then leave them open to both financial and reputational penalties.
Mismanagement of data
Mismanagement of data is about the mistakes companies make in their handling of data through each stage of its lifecycle. A number of systems, software, and other tools may be involved at various points during the collecting, processing, storing, and protecting of data. If this isn’t handled correctly, however, it can become unusable or corrupted, which can potentially result in expensive losses for the business. In addition to that, it can incur unseen costs caused by inefficiency and lower levels of productivity. Well-managed data create a well-oiled machine, while mismanaged data is like throwing a bucket of rust directly onto the gears.
Ineffective data security
Ineffective data security systems are one of the biggest – and most costly – causes of data risk, which can lead to catastrophic consequences for a firm. With the number of hackers and cyberattacks on the rise, organisations must remain vigilant in order to protect against them.
Adopting a holistic data risk management strategy is the most effective approach. By looking at the bigger picture and making sure all elements are working together in unison, businesses can help to minimise internal and external risks simultaneously.
Why data risk management matters
There are a number of reasons why data risk management is greatly important to organisations. Neglecting this process can have severe consequences, some of which are detailed below:
- Financial penalties imposed on businesses are found to be in breach of any laws or regulations.
- Legal fees that may be incurred.
- The reputational damage could lead to loss of sales or share value.
- Costs related to resolving an issue or breach.
- Costs of replacing or repairing damaged infrastructure after a cyberattack.
- Loss of productivity in the workplace.
Data risks can lead to data breaches. As a result, the earlier an organisation adopts a watertight data risk management strategy, the less they stand to lose.
What are the potential data risks?
Anything that has the ability to threaten the security or quality of data is considered a risk. Some examples include:
Dark data
This type of data is collected and stored but not used. It poses a risk on a few fronts. Firstly, it’s a security risk, because the more dark data a company has, the more there is to protect. Simply put, there is more data at risk in the event of a breach. Secondly, it can leave an organisation wide open to a variety of compliance issues. For example, many businesses are in breach of GDPR without even realising it.
Corrupt data
Data corruption can occur in many different ways. This can be through data breaches, issues with a database, or basic human error. Corrupted data is a risk to organisations because it costs money. These costs can be related to recovering the data or can be the less quantifiable costs of losing time, productivity, and repairing a brand’s image.
Compliance failures
There are far-reaching consequences for failing to comply with data laws. Regulatory compliance failures are a big data risk, which can lead to hefty fines, high legal bills, and ramifications in terms of reputation. As more rules are imposed on businesses, many more organisations are falling afoul of the new and in most cast cases stricter requirements.
Data remanence
Data remanence is data that can still be recovered even though a business might think it’s gone. It’s common for organisations to replace or reformat their technology. The assumption is often that any available data was erased along with it. However, this is not always the case and without following the correct protocols, companies may find sensitive information being exposed.
Storage device issues
Another common risk is problems arising with the storage device that holds an organisation’s data. This might be a technical issue or a malware attack that then causes storage devices to fail. When businesses don’t have adequate backup procedures in place, they are at a much greater risk of losing large amounts of valuable data in an instant.
Vendor lock-in
This is where the current provider of services makes it difficult – if not impossible – to switch to another provider. This is usually done by making the cost of transferring data to a different provider prohibitively expensive. Data is essentially being held hostage in such instances.
Incidents and accidents
Anything that removes, damages, or otherwise threatens data is a risk. This could be a fire in a data storage facility that damages the hardware beyond repair or an earthquake, which destroys offices and equipment. Any of these and more can pose a risk to sensitive data.
The best practices for data risk management
Defining the risks
Each organisation is different. The type of data and the level of sensitivity will differ, as will the software, systems, and tools in use. Carrying out a full appraisal of the business to determine the scope of risk analysis that needs to be conducted is a good strategy to adopt. Knowledge of what to look for before starting the process will also be highly beneficial.
Identifying potential risks and threats
Once businesses have established what they’re looking for, they can effectively move on to the actual risks themselves. By identifying potential threats to data, organisations can place themselves in a better position to stop them from happening. Examining the current situation and determining where the weaknesses are will make the areas that require some work clearer.
Evaluating likelihood and potential impact
With a clear idea of potential data risks, organisations can start thinking about how likely they are to happen. How often has a specific risk occurred in the past and how common is it within the industry? Looking for reports or past studies and weighing up the likelihood of a risk occurring is good practice. Thereafter assessing the impact a data breach would have on the organisation will provide some direction on whether to escalate the issue as a matter of urgency or not.
Assessing the existing measures
Chances are data protection measures are already in place for most large corporations. But are the measures up to date? If software tools are in use, are they doing the job? Are data governance processes as tight as they could be or is there room for improvement? Are certain tools or methods being used because it’s easier than switching?
Businesses must make a concerted effort not to let familiarity be their downfall. It’s easier to implement a new system than it is to clear up after a major data breach.
Having a plan in place
When the main data risks have been determined including how likely they are to occur, companies can then draw up responses. In an ideal world, management doesn’t want anything to happen that they haven’t already foreseen. While that is not always possible, contingency plans should be in place for all the major and potentially impactful risks that have already been identified.
Adopting a holistic approach
Data risk management should not be approached piecemeal. It is often the case that an organisation reacts to data breaches or software failures after the fact rather than being proactive. This is a largely inefficient way of approaching such an important procedure. Data risk policies and rules should be defined and integrated into the company’s processes ahead of time. Having all factions of the organisation working together will create the most bulletproof data risk management strategy possible.
Learning from any mistakes
Any incidents that have occurred in the past, can be used as case studies for the future. If data is compromised despite the best of efforts, examining where the weaknesses in the strategy were is a good first step. Thereafter a few adjustments where applicable will ensure progress in the right direction. Learning from other people’s mistakes is very helpful too. Keeping an eye out for reports from other organisations’ data risk incidents and checking whether in-house contingency plans would have held up is a proactive approach to consider.
Final thoughts
Technology is constantly evolving and only those who evolve with it will thrive. Data risk management is not a static approach. For every new security software release, there is a hacker relishing the opportunity to find a way around it.
As a result, the best data risk management plans are forever a work in progress. Constantly monitoring processes and making adjustments where necessary, will significantly reduce data risks and the severe consequences that come with failing to comply.
This article was written by Henry Umney, CEO of ClusterSeven. Henry has over 25 years of experience and expertise within the financial services and technology sectors. Prior to ClusterSeven, Henry held the position of sales director in Microgen, London and various sales management positions in AFA Systems and ICAP.