August 31, 2016
Data Protection and Control
Digital risk exposure is far greater than most companies appreciate.
The implications – both immediate and long-term – can have far-ranging consequences for productivity, competitiveness, intellectual property, and brand confidence. To effectively manage these risks, it is crucial that companies develop a coherent understanding of exactly how much control they have over the data they steward. Only when this knowledge of control is firmly established can a company devise plans for mitigating any potential crises resulting from a data breach.
Loss of total control over your data begins at the moment of digitization. After digitization, control over data diminishes with every additional node through which it travels – every additional employee and third party that has access to the data increases its vulnerability. Third parties – contractors, service providers, and clients – are susceptible to the exact same kinds of insider threats faced by companies and governments. Performing thorough due diligence on all your partners is critical for extending as much control as possible across all external points of vulnerability.
Any employee can steal information, but it is not until he or she gives that information to someone on the outside that a breach has truly occurred. Your data is gone as soon as you lose it, and you will be unable to stop whoever took it from continuing to possess it or using it as they see fit. Companies, governments, and individuals should map out the contours of their control, identifying all possible holes in their digital and human walls, monitor and patch those areas of vulnerability where possible, and develop contingency plans to mitigate fallout if a breach does occur.
It is relatively easy to defend your data through technical means, but the more difficult element is people – data encryption means nothing if someone on the inside hands over the key to someone who is not authorized to have it. The good news is that employers can exercise a great deal of influence over the behaviors of their employees. Employees can easily be taught to recognize, deflect, and report suspicious questions from outsiders that might divulge methods of accessing your data, and standard operating procedures can ensure that an employee’s data access is abrogated upon departure from the company.
Even with every known potential vulnerability clearly mapped, the way one does business must always be subject to the principle that what is recorded in the digital space in ‘private’ may at some point be divulged in ways or spaces not currently predicable. Whether by leak, FOIA request, or litigation discovery, your information can be removed at any moment from the confines of your control. Every communication transmitted through email must be written with this consideration firmly in mind.
All of this can too easily lead to paranoia – the symptom of an imbalance between vigilance and inattention, which supplies its own dangers. Bad actors can blackmail paranoid, unaware companies with the fabricated spoils of a nonexistent data breach. But firms that treat cybersecurity threats with equal doses of sobriety and diligence by mapping out their control and vulnerabilities can verify a possible compromise before reacting.
For further information about LEVICK Business Intelligence’s political and regulatory risk capabilities – including obtaining a complete copy of this report or others – please visit us online at http://levick.com/practices/business-intelligence or contact us directly at LEVICKIntelligence@LEVICK.com. A complete list of our Political Risk Updates can be found under the Political & Regulatory Risk tab.