6 minute read 25 Jun 2020
High raised security cameras

How to safeguard data while ethically leveraging its value

By Andrew Gordon

EY Global Forensic & Integrity Services Leader

Global Forensics Leader focusing on helping organizations build their integrity agenda so they better anticipate and mitigate risk.

6 minute read 25 Jun 2020

The EY Global Integrity Report 2020 highlights that despite companies having more data, they face significant gaps in effectively protecting it.

This article is part of the EY Global Integrity Report 2020.

A fifth of respondents in our EY Global Integrity Report 2020 (pdf) suffered a major cyber security breach in the preceding year. Cybercriminals do not discriminate based on geography — our results were similar across developed (19%) and emerging markets (23%) — and with 21% of all respondents confirming that they have suffered a major data loss event, organizations must ensure data is safeguarded effectively.

An exponential increase in the volume of data that organizations hold over the last decade has driven the emergence of new business models that utilize data analytics, artificial intelligence (AI) and automation. COVID-19 has accelerated this trend as companies have had to adapt and fast-track digital transformations of their operations to meet the increasing demands of data-driven services and products.

While advanced technologies such as AI can provide valuable insights for corporate decision-making and monitoring business integrity, they also pose significant risks. For instance, AI algorithms may be able to monitor job performance by sifting through an employee’s social media posts or emails, but this type of use can violate privacy regulations and raise ethical concerns. Failure to adequately protect data creates vulnerabilities that can run afoul of both corporate values and rapidly evolving regulatory compliance obligations.

“Companies committed to integrity should examine new technologies thoughtfully, implement them carefully and educate employees for their ethical use,” recommends Todd Marlin, EY Global Technology & Innovation Leader for Forensic & Integrity Services.

There’s more to be done in managing data effectively — and our survey reveals some compelling insights in this regard.

Global Integrity Report

74%

of respondents expect enforcement of data protection laws will increase in the future.

Implications of change

In a rapidly evolving economy with growing regulatory requirements and scrutiny, organizations will need to be more cautious in how they collect, maintain and use data to ensure compliance without compromising critical business operations. It is also imperative that organizations are conscious of potential workarounds or operational shortcuts that employees may implement to overcome perceived unnecessary barriers.

All organizations are facing increasingly sophisticated attacks from cybercriminals who seek to steal data to expose data security failings, profit from the sale of data or encrypt it for ransom. A data breach can paralyze operations or even put smaller companies out of business. Over the last decade, firms that failed to safeguard their customers’ information have eroded public trust and suffered huge damages resulting from regulatory fines, litigation, reputational loss and shrinking revenues.

Cybercriminals trying to exploit the fears and uncertainties around the virus have stepped up phishing and ransomware attacks, increasing the risks for organizations already struggling to operate during a pandemic. The rapid shift to employees working remotely has made cybersecurity an even bigger challenge — one that organizations had little time to prepare for. Already we have seen such attacks on various sectors including health care organizations.

Global Integrity Report

35%

of respondents believe current data protection and privacy legislation is a barrier to success in business

Providing the right knowledge and training to safeguard data

It’s critical to develop and implement a cyber breach incident response plan, alongside employee training, considering that most ransomware attacks occur when an employee clicks on a fraudulent email link or attachment. However, our survey shows that 62% do not have such plans in place and less than half (49%) are adequately trained.

A comprehensive response plan that is enacted quickly after an incident has shown to significantly reduce the impact and financial costs of a breach. Concerningly, most respondents say their organizations fail to follow many recommended practices for safeguarding data. Fifty-nine percent do not train employees on their data integrity responsibilities. This training deficit is reflected in the lack of knowledge about data integrity, even among the many employees working in legal, compliance and IT functions.

Users are the gatekeepers to data and own the credentials that cybercriminals target.

This lack of knowledge could give rise to internal data breaches, where unwitting employees fall victim to social engineering attacks or circumvent data protection policies by downloading sensitive company data onto their personal devices while working from home.

Many survey respondents also report a lack of knowledge about their companies’ own security procedures. Almost three in ten (28%) said that they know little to nothing about their organization’s policies and procedures for keeping its premises, equipment and networks secure. The same percentage (28%) also admitted knowing little or nothing about policies and procedures for allowing employees to access data.

The failure to educate employees on protecting data is surprising considering that respondents named cyberattacks as the greatest risk to the long-term success of their organizations. The reality is organizations should be doing more to safeguard data — 2019 was a record year for breaches, with more than 15 billion sensitive records exposed, according to Risk Based Security1.

Organizations are increasingly adopting AI, analytics and automation technologies in their compliance programs. These tools can help an organization operate ethically by detecting and even predicting instances of fraud, corruption and theft within the enterprise and among third parties. Tools like machine learning can also be used to protect data more effectively – for example, by reducing the number of false positives in security alerts and automatically blocking malware.

How to safeguard data with integrity

Actions to take now include:

  • Promote a culture of data integrity that encompasses both the organization and its supply chain, strengthened with regular communications and training

  • Refresh training to take account of new working environments and regulations and roll out to workers across all functions, positions and seniority levels

  • Utilize advanced technology as part of an effective compliance program to monitor business activity and flag potential risk areas — for example, as part of a cyber breach response plan to detect and quantify data that may have been lost

  • Perform a risk assessment when introducing new advanced technologies that incorporates ethical scenarios where data integrity may be compromised

This article is one in a series based on the EY Global Integrity Report 2020 (pdf). For a comprehensive approach to maintaining integrity, please see the other articles in the series, accessible below:

  • About the survey

    This Global Integrity Report 2020 follows from our previous Global Fraud Survey series and highlights three critical actions for organizations to prioritize in their integrity agendas to help navigate the ethical challenges accelerated by the crisis: personal conduct, third-party management and data integrity.

    Between January and February 2020, our researchers — the global market research agency Ipsos MORI — conducted 2,948 surveys in the local language with board members, senior managers, managers and employees in a sample of the largest organizations and public bodies in 33 countries and territories worldwide. A further 600 surveys in total were conducted in April 2020 using the same respondent profile across China, Germany, India, Italy, the UK and the US during the COVID-19 pandemic.

Summary

Front-line individuals must be equipped with the right knowledge and training to safeguard data. However, 59% of respondents say they are not trained on their data privacy responsibilities. This is surprising given 74% expect enforcement of data protection laws to increase in future. And while cyberattacks were cited as the greatest risk to the long-term success of their organization, 62% do not have a cyber breach incident response plan in place.  Advanced technologies for managing data alongside employee education initiatives have a greater role to play.  

About this article

By Andrew Gordon

EY Global Forensic & Integrity Services Leader

Global Forensics Leader focusing on helping organizations build their integrity agenda so they better anticipate and mitigate risk.