Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social media data leakage and data accountability risks

In today's SMAC world, the risks from Social Media are manifold - ranging from Data Leakage to Data Accountability. This ppt was made to a conference of Institute of Internal Auditors in Mumbai, India.

  • Login to see the comments

  • Be the first to like this

Social media data leakage and data accountability risks

  1. 1. SOCIAL MEDIA: WHY SHOULD IT BE ON YOUR AUDIT PLAN? Shivangi Nadkarni, CISA, CIPT, DCPP Co-Founder & CEO – Arrka Consulting
  2. 2. The Social Media Ecosystem 15-Feb-17Arrka Consulting - Confidential 2 This is a placeholder text. It can be replaced by your own one. Communication Apps: Gmail, Skype, Whatsapp... Organizational sites, apps, games, pages Games, Interactive Media Popular Apps: Facebook, Linked In, Twitter...
  3. 3. The Risks: Category #1 15-Feb-17 3 Arrka Consulting - Confidential
  4. 4. How things can go wrong… 15-Feb-17Arrka Consulting - Confidential 4 Twitter:  Who: Their own CFO – Anthony Noto  What: Accidently tweeted instead of sending a private message  What was it about: An M&A plan  "I still think we should buy them. He is on your schedule for Dec 15 or 16 -- we will need to sell him. i have a plan.“
  5. 5. How things can go wrong… 15-Feb-17Arrka Consulting - Confidential 5 Across Social Media:  Who: UK Armed Forces  What: Disclosed details of Britain’s submarines, posted videos of people & equipment in Afghanistan & Libya, details of sensitive visits, etc
  6. 6. How things can go wrong 15-Feb-17Arrka Consulting - Confidential 6  …Am sure each of you has a story to tell from your own organization…
  7. 7. Data Leakage on Social Media – How? 15-Feb-17Arrka Consulting - Confidential 7 Leakage The DELIBERATE The VICTIM The ‘OOPS’! Data leaked by mistake • Very Common • Eg: putting great details in Linked In profiles, uploading sensitive documents on public cloud, posting internal plans on Facebook, etc The Malicious Insider Victimised by Cybercrime • 40 percent of social media users have fallen victim to cybercrime • One in six users believe their accounts have been compromised* * Norton Study
  8. 8. At the Organizational Level 15-Feb-17Arrka Consulting - Confidential 8  Impersonation/ spoofing of organization’s properties  Fake pages, handles etc  Fake domains  Fake apps
  9. 9. The Risks: Category #2 15-Feb-17 9 Arrka Consulting - Confidential
  10. 10. When you are Online – what happens in the background? 15-Feb-17Arrka Consulting - Confidential 10 Types of data collected: - Device id, location data, browser history, your OS, - Anything else you may have given ‘permission’ to access – eg, contact info, etc Your Profile & Identity is built
  11. 11. What happens to this data? 15-Feb-17Arrka Consulting - Confidential 11 ANALYTICS is done on this SOLD to data networks/ ad networks/ other agencies -Who use it to sell products & services to you Used to SYNC UP with other channels to do omni-channel reach Fed into ALGORITHMS and used to make automated decisions about you
  12. 12. In Short, When You Are Online….
  13. 13. What happens when you use a mobile app? 15-Feb-17Arrka Consulting - Confidential 13 You give ‘Permissions’
  14. 14. What happens when you use… 15-Feb-17Arrka Consulting - Confidential 14 APP or Website Gets access to your account
  15. 15. So How and Why is all this relevant to an organization? 15-Feb-17 15 Arrka Consulting - Confidential
  16. 16. 15-Feb-17Arrka Consulting - Confidential 16  Your organization is engaging in all these digital interactions  Online  Mobile apps  Applications like FB/ Instagram/ Linked in/ etc
  17. 17. Data: Today’s Reality 15-Feb-17Arrka Consulting - Confidential 17 Explosion of Data • Tracking • Online Behavioural Advertising (OBA) • Ad / Data Networks Individuals as Data Generators Social, Mobile, Analytics, Cloud, IOT… Personal Data is the New Currency
  18. 18. Types of Personal Data 15-Feb-17Arrka Consulting - Confidential 18 PERSONAL DATA Knowingly provided by a user Unknowingly provided by a user Observed Data Derived or Inferred Data Harvested From 3P sources Eg: Filling in account details Eg: Device identifiers, Location Data, etc Eg: Data generated from analysis and/or deploying algorithms. Like online behaviour profiles
  19. 19. What does the law say? 15-Feb-17Arrka Consulting - Confidential 19  Data Protection & Privacy laws in most countries:  Define personal data to include all device data, meta data, location data, etc  Anything from a device that can be used to identify an individual  The laws have some strict curbs on how this data should be treated and used  With some stiff penalties and liabilities  Eg:  EU GDPR: upto 2% to 4% of global turnover  Most countries have criminal liabilities
  20. 20. So Who Owns What Data? 15-Feb-17Arrka Consulting - Confidential 20 Dedicated 3rd Parties 3P’s using their own platforms/ products Personal Data Personal Data 3P’s own usage 4th Parties Where Does Accountability lie? Who takes on the liabilities? Who carries the reputation risk?
  21. 21. What can go wrong?: InMobi 15-Feb-17Arrka Consulting - Confidential 21  One of the world’s largest Mobile Ad Network  Tracked a customer’s location using surrounding wi-fi networks  EVEN when the customer had turned off location services on her mobile  Hauled up and fined by the US FTC  InMobi: Basically from India!
  22. 22. What can go wrong: Silverpush 15-Feb-17Arrka Consulting - Confidential 22  A technology that tracks ‘audio beacons’ from Televisions  Captured on a mobile device  Sent to a central server  Profiles what exactly you have watched on tv  Feeds to ad networks to deliver ads  Not even a standalone app  Embedded in other mobile apps  Hauled up by US FTC
  23. 23. Think of this scenario 15-Feb-17Arrka Consulting - Confidential 23  Your organization ties up with a third party to co-brand a mobile app  Hosts it on the third party’s platform  Third party uses the data from the customer to do analytics and sell to an ad network  Meanwhile, your orgn has promised the customer that you wont sell her personal data to anyone  What happens in this scenario? Who is accountable?
  24. 24. To Summarise 15-Feb-17Arrka Consulting - Confidential 24 Data Leakage related risks Data Accountability related risks Risks from the Social Media Ecosystem
  25. 25. What can you do to address this? 15-Feb-17 25 Arrka Consulting - Confidential
  26. 26. What can you do to address this 15-Feb-17Arrka Consulting - Confidential 26  Create Awareness  That these risks exist  They are real  They are an integral part of business – not a ‘tech-only’ problem  They have to be urgently addressed  Assess  What is your organization’s risk exposure vis-à-vis the social media ecosystem  Assess the gaps
  27. 27. What can you do to address this 15-Feb-17Arrka Consulting - Confidential 27  Review existing programs/ initiatives that address these risks  Likely that existing risk management initiatives may be addressing some parts of these risks  Initiate new programs/ initiatives to take care of unaddressed gaps  Do this on a continual basis  Pace of change is explosive  Risk profiles keep changing  Global developments affect local ecosystems- although you may not be dealing with outside markets
  28. 28. 15-Feb-17Arrka Consulting - Confidential 28  It is an exciting world out there….full of opportunities….just make sure you have your risks covered as you make the most of the opportunities
  29. 29. Shivangi Nadkarni, CISA, DCPP, CIPT Co-Founder & CEO – Arrka Consulting @shivanginadkarn Questions? 15-Feb-17 29 Arrka Consulting - Confidential