4 minute read 24 Mar 2022
Risk mitigation strategies

Devising technology-led strategies to secure data and mitigate breaches

Authors
Arpinder Singh

EY Global Markets and India Leader, Forensic & Integrity Services

Leading forensic accountant and veteran expert witness. Advising global clients on compliance, anti-corruption and corporate governance. Disruptive thinker. Technology aficionado. Author.

Harshavardhan Godugula

EY India Forensic & Integrity Services Technology & Innovation Leader

Technology leader. Advising the C-suite on building safer enterprises through cyber incident response, data governance, fraud analytics and eDiscovery services. Driven by innovation.

4 minute read 24 Mar 2022

As data breaches become increasingly sophisticated, can technology act as a catalyst to resolve the issue at hand?

In brief

  • Data breaches are at an all-time high because of an uptick in digitization in a post-pandemic world
  • Organizations are burdened with the dual responsibility of combatting data breaches effectively whilst identifying data loss
  • Self-learning AI platforms can be leveraged to identify and report on individual Personally Identifiable Information (PII) or Personal Health Information (PHI) in unstructured data sets, and build enhanced risk mitigation strategies

Rapid digitization and workplace mobility has made our lifestyles far more ergonomic than before. However, an increase in daily accessibilities has brought about a plethora of opportunities for cyber attackers to engage in unethical and unlawful activities. According to a recent survey by EY Forensic & Integrity Services and ACFE Mumbai Chapter, 40% of senior legal and risk executives stated they had witnessed a cyber breach in their organizations in the last year.

The information does not have to be digitized for it to be hacked, but digital files have made data breaches ubiquitous. Cybercriminals continue to expose and endanger consumers’ PII as well as their PHI at a worrying rate. To avoid regulatory action or litigation, as part of their incident response frameworks, companies should disclose and notify data breaches to their stakeholders, including regulators, if their PII or PHI has been exposed. But doing so is no easy feat - identifying a PII or PHI leak requires specialized resources and modern technological solutions in conjunction with a well-established data breach response plan.

What types of data can be compromised?

Different types of data tend to be useful to third parties, and they pose varying degrees of danger to a company. Examples of different kinds of information include:

  1. Personally identifiable information (PII) – This refers to any data that could be used to identify a specific person. It comprises contact details, birth date and educational background.
  2. Financial information – This includes credit card numbers and income statements, bank account and investment details, and any other similar information.
  3. Protected health information (PHI) – This contains details about individuals’ medical history such as previous or existing ailments, prescription medicines, therapies, and medical or health records.
  4. Intellectual property information – This refers to product drawings and manuals, specifications, scientific formulas, marketing texts and symbols, proprietary software, and other materials generated by the company.
  5. Information on the competition – This includes competitive market information, market research, pricing data, and business plans.

Personal, financial, and health information can be misutilized for fraud, identity theft, and unsolicited marketing, while intellectual property can be infringed or misused to create products and services that emulate another brand. Competitors may sell competitive information to thwart an organization’s growth plans and goals and leak privileged information which may end up jeopardizing their legal position. IT security data is another valuable target since it can allow unauthorized parties to access a variety of data within the company’s system.

The risk within - How internal stakeholders may pose a threat

With the advent of remote working, multiple stakeholders – employees, vendors, third parties, gig workers – can pose a threat as they have access to the company’s network and sensitive data. This can be easily accessed from within the network, through external email accounts, mobile devices, and even the cloud.

Insider threats can potentially lead to a failure in data protection and threat mitigation strategies. Disgruntled employees may leak confidential information, or even sell it for a profit to external parties. Cloud data and email accounts are frequently used by employees of the company’s cloud services provider, and mobile devices may be misplaced, hacked or corrupted. In the face of such dangers, businesses must assess the repercussions of data breaches and devise risk mitigation strategies to address internal threats as well.

The range of personal data a threat actor can access has risen rapidly because of the proliferation of the Internet of Things (IoT) devices currently deployed inside homes and businesses – data-collecting devices, information-rich smartphone apps, and more.

In such instances, it is critical to educate employees on the importance of having good cyber hygiene, especially now that many people are still working from home or working from anywhere. They should also be equipped with the tools needed to complete their professional obligations rather than relying on personal devices that may not be as secure.

Risk mitigation strategies for consideration

The risks posed by a data security breach can be mitigated with the right balance and blend of processes, people, and technology. Data breach discovery and review procedures need legal expertise, technology to collect and assimilate data, and advanced document reviewers to examine it and identify PII or PHI loss.

EY’s Data Breach Review solution is designed for high-speed breach review and can assist in the development of a robust cyber incident response framework as attackers get savvier.

The self-learning Artificial Intelligence (AI) platform is pre-trained to identify and report on individual PII or PHI in unstructured data sets such as emails, chats, or file-shares, thereby helping companies comply with breach notification mandates. The platform learns from each review and displays the learnings right away to the reviewers. All the system’s learnings are retained in successive evaluations, allowing it to get more effective, sharper, and intelligent over time. The end result is a timely and demonstrable delivery of a final notification list of deduplicated entities derived from compromised data sets to meet legal, regulatory, and business responsibilities.

Summary

The consequences of not taking an action if a data breach occurs can impact a company's ability to continue operating as usual. They should, therefore, consider either building a cybercrime threat mitigation action plan now or be compelled to do so after a data breach that may result in substantial damages.

About this article

Authors
Arpinder Singh

EY Global Markets and India Leader, Forensic & Integrity Services

Leading forensic accountant and veteran expert witness. Advising global clients on compliance, anti-corruption and corporate governance. Disruptive thinker. Technology aficionado. Author.

Harshavardhan Godugula

EY India Forensic & Integrity Services Technology & Innovation Leader

Technology leader. Advising the C-suite on building safer enterprises through cyber incident response, data governance, fraud analytics and eDiscovery services. Driven by innovation.