Social Media Risks go beyond data leakage & brand reputation risks - to those seriously impacting data privacy. This ppt was made at a conference of the Institute of Internal Auditors, Mumbai, India
Social media risks - data leakage and data accountability
1. SOCIAL MEDIA: WHY SHOULD IT BE
ON YOUR AUDIT PLAN?
Shivangi Nadkarni, CISA, CIPT, DCPP
Co-Founder & CEO – Arrka Consulting
2. The Social Media Ecosystem
15-Feb-17Arrka Consulting - Confidential
2
This is a placeholder text.
It can be replaced by your
own one.
Communication Apps:
Gmail, Skype,
Whatsapp...
Organizational
sites, apps,
games, pages
Games,
Interactive
Media
Popular Apps:
Facebook, Linked In,
Twitter...
4. How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
4
Twitter:
Who: Their own CFO – Anthony Noto
What: Accidently tweeted instead of sending a private message
What was it about: An M&A plan
"I still think we should buy them. He is on your schedule for Dec 15 or 16
-- we will need to sell him. i have a plan.“
5. How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
5
Across Social Media:
Who: UK Armed Forces
What: Disclosed details of Britain’s submarines, posted videos of people
& equipment in Afghanistan & Libya, details of sensitive visits, etc
6. How things can go wrong
15-Feb-17Arrka Consulting - Confidential
6
…Am sure each of you has a story to tell from your own
organization…
7. Data Leakage on Social Media – How?
15-Feb-17Arrka Consulting - Confidential
7
Leakage
The
DELIBERATE
The VICTIM
The ‘OOPS’!
Data leaked by mistake
• Very Common
• Eg: putting great details in Linked In profiles,
uploading sensitive documents on public
cloud, posting internal plans on Facebook, etc
The Malicious
Insider
Victimised by Cybercrime
• 40 percent of social media users have
fallen victim to cybercrime
• One in six users believe their accounts
have been compromised*
* Norton Study
8. At the Organizational Level
15-Feb-17Arrka Consulting - Confidential
8
Impersonation/ spoofing of organization’s properties
Fake pages, handles etc
Fake domains
Fake apps
10. When you are Online – what happens in the
background?
15-Feb-17Arrka Consulting - Confidential
10
Types of data collected:
- Device id, location data, browser history, your OS,
- Anything else you may have given ‘permission’ to
access – eg, contact info, etc
Your Profile &
Identity is built
11. What happens to this data?
15-Feb-17Arrka Consulting - Confidential
11
ANALYTICS is done on
this
SOLD to data networks/
ad networks/ other
agencies
-Who use it to sell
products & services to
you
Used to SYNC UP with
other channels to do
omni-channel reach
Fed into ALGORITHMS
and used to make
automated decisions
about you
13. What happens when you use a mobile app?
15-Feb-17Arrka Consulting - Confidential
13
You give ‘Permissions’
14. What happens when you use…
15-Feb-17Arrka Consulting - Confidential
14
APP or Website
Gets access to
your account
15. So How and Why is all this relevant to an organization?
15-Feb-17
15
Arrka Consulting - Confidential
16. 15-Feb-17Arrka Consulting - Confidential
16
Your organization is engaging in all these digital interactions
Online
Mobile apps
Applications like FB/ Instagram/ Linked in/ etc
17. Data: Today’s Reality
15-Feb-17Arrka Consulting - Confidential
17
Explosion of
Data
• Tracking
• Online Behavioural
Advertising (OBA)
• Ad / Data Networks
Individuals as
Data
Generators
Social, Mobile,
Analytics,
Cloud, IOT…
Personal
Data is the
New
Currency
18. Types of Personal Data
15-Feb-17Arrka Consulting - Confidential
18
PERSONAL DATA
Knowingly provided
by a user
Unknowingly
provided by a user
Observed Data
Derived or Inferred
Data
Harvested
From 3P
sources
Eg: Filling in
account details
Eg: Device
identifiers,
Location Data,
etc
Eg: Data generated from
analysis and/or deploying
algorithms. Like online
behaviour profiles
19. What does the law say?
15-Feb-17Arrka Consulting - Confidential
19
Data Protection & Privacy laws in most countries:
Define personal data to include all device data, meta data, location data,
etc
Anything from a device that can be used to identify an individual
The laws have some strict curbs on how this data should be treated
and used
With some stiff penalties and liabilities
Eg:
EU GDPR: upto 2% to 4% of global turnover
Most countries have criminal liabilities
20. So Who Owns What Data?
15-Feb-17Arrka Consulting - Confidential
20
Dedicated
3rd Parties
3P’s using their
own platforms/
products
Personal Data
Personal Data
3P’s own usage
4th
Parties
Where Does
Accountability lie?
Who takes on the
liabilities?
Who carries the
reputation risk?
21. What can go wrong?: InMobi
15-Feb-17Arrka Consulting - Confidential
21
One of the world’s largest Mobile Ad Network
Tracked a customer’s location using surrounding wi-fi networks
EVEN when the customer had turned off location services on her mobile
Hauled up and fined by the US FTC
InMobi: Basically from India!
22. What can go wrong: Silverpush
15-Feb-17Arrka Consulting - Confidential
22
A technology that tracks ‘audio beacons’ from Televisions
Captured on a mobile device
Sent to a central server
Profiles what exactly you have watched on tv
Feeds to ad networks to deliver ads
Not even a standalone app
Embedded in other mobile apps
Hauled up by US FTC
23. Think of this scenario
15-Feb-17Arrka Consulting - Confidential
23
Your organization ties up with a third party to co-brand a mobile app
Hosts it on the third party’s platform
Third party uses the data from the customer to do analytics and sell
to an ad network
Meanwhile, your orgn has promised the customer that you wont sell
her personal data to anyone
What happens in this scenario? Who is accountable?
24. To Summarise
15-Feb-17Arrka Consulting - Confidential
24
Data Leakage
related risks
Data Accountability
related risks
Risks from the
Social Media Ecosystem
25. What can you do to address this?
15-Feb-17
25
Arrka Consulting - Confidential
26. What can you do to address this
15-Feb-17Arrka Consulting - Confidential
26
Create Awareness
That these risks exist
They are real
They are an integral part of business – not a ‘tech-only’ problem
They have to be urgently addressed
Assess
What is your organization’s risk exposure vis-à-vis the social media
ecosystem
Assess the gaps
27. What can you do to address this
15-Feb-17Arrka Consulting - Confidential
27
Review existing programs/ initiatives that address these risks
Likely that existing risk management initiatives may be addressing some parts of
these risks
Initiate new programs/ initiatives to take care of unaddressed gaps
Do this on a continual basis
Pace of change is explosive
Risk profiles keep changing
Global developments affect local ecosystems- although you may not be dealing
with outside markets
28. 15-Feb-17Arrka Consulting - Confidential
28
It is an exciting world out there….full of opportunities….just make
sure you have your risks covered as you make the most of the
opportunities