The document discusses the importance of incorporating social media into an organization's audit plan, highlighting various risks such as data leakage and cybercrime. It emphasizes the need for awareness and assessment of risks associated with social media interactions, including the collection and misuse of personal data. Additionally, it suggests reviewing existing programs and launching new initiatives to address these risks continuously.

1. SOCIAL MEDIA: WHY SHOULD IT BE
ON YOUR AUDIT PLAN?
Shivangi Nadkarni, CISA, CIPT, DCPP
Co-Founder & CEO – Arrka Consulting

2. The Social Media Ecosystem
15-Feb-17Arrka Consulting - Confidential
2
This is a placeholder text.
It can be replaced by your
own one.
Communication Apps:
Gmail, Skype,
Whatsapp...
Organizational
sites, apps,
games, pages
Games,
Interactive
Media
Popular Apps:
Facebook, Linked In,
Twitter...

3. The Risks: Category #1
15-Feb-17
3
Arrka Consulting - Confidential

4. How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
4
Twitter:
 Who: Their own CFO – Anthony Noto
 What: Accidently tweeted instead of sending a private message
 What was it about: An M&A plan
 "I still think we should buy them. He is on your schedule for Dec 15 or 16
-- we will need to sell him. i have a plan.“

5. How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
5
Across Social Media:
 Who: UK Armed Forces
 What: Disclosed details of Britain’s submarines, posted videos of people
& equipment in Afghanistan & Libya, details of sensitive visits, etc

6. How things can go wrong
15-Feb-17Arrka Consulting - Confidential
6
 …Am sure each of you has a story to tell from your own
organization…

7. Data Leakage on Social Media – How?
15-Feb-17Arrka Consulting - Confidential
7
Leakage
The
DELIBERATE
The VICTIM
The ‘OOPS’!
Data leaked by mistake
• Very Common
• Eg: putting great details in Linked In profiles,
uploading sensitive documents on public
cloud, posting internal plans on Facebook, etc
The Malicious
Insider
Victimised by Cybercrime
• 40 percent of social media users have
fallen victim to cybercrime
• One in six users believe their accounts
have been compromised*
* Norton Study

8. At the Organizational Level
15-Feb-17Arrka Consulting - Confidential
8
 Impersonation/ spoofing of organization’s properties
 Fake pages, handles etc
 Fake domains
 Fake apps

9. The Risks: Category #2
15-Feb-17
9
Arrka Consulting - Confidential

10. When you are Online – what happens in the
background?
15-Feb-17Arrka Consulting - Confidential
10
Types of data collected:
- Device id, location data, browser history, your OS,
- Anything else you may have given ‘permission’ to
access – eg, contact info, etc
Your Profile &
Identity is built

11. What happens to this data?
15-Feb-17Arrka Consulting - Confidential
11
ANALYTICS is done on
this
SOLD to data networks/
ad networks/ other
agencies
-Who use it to sell
products & services to
you
Used to SYNC UP with
other channels to do
omni-channel reach
Fed into ALGORITHMS
and used to make
automated decisions
about you

12. In Short, When You Are Online….

13. What happens when you use a mobile app?
15-Feb-17Arrka Consulting - Confidential
13
You give ‘Permissions’

14. What happens when you use…
15-Feb-17Arrka Consulting - Confidential
14
APP or Website
Gets access to
your account

15. So How and Why is all this relevant to an organization?
15-Feb-17
15
Arrka Consulting - Confidential

16. 15-Feb-17Arrka Consulting - Confidential
16
 Your organization is engaging in all these digital interactions
 Online
 Mobile apps
 Applications like FB/ Instagram/ Linked in/ etc

17. Data: Today’s Reality
15-Feb-17Arrka Consulting - Confidential
17
Explosion of
Data
• Tracking
• Online Behavioural
Advertising (OBA)
• Ad / Data Networks
Individuals as
Data
Generators
Social, Mobile,
Analytics,
Cloud, IOT…
Personal
Data is the
New
Currency

18. Types of Personal Data
15-Feb-17Arrka Consulting - Confidential
18
PERSONAL DATA
Knowingly provided
by a user
Unknowingly
provided by a user
Observed Data
Derived or Inferred
Data
Harvested
From 3P
sources
Eg: Filling in
account details
Eg: Device
identifiers,
Location Data,
etc
Eg: Data generated from
analysis and/or deploying
algorithms. Like online
behaviour profiles

19. What does the law say?
15-Feb-17Arrka Consulting - Confidential
19
 Data Protection & Privacy laws in most countries:
 Define personal data to include all device data, meta data, location data,
etc
 Anything from a device that can be used to identify an individual
 The laws have some strict curbs on how this data should be treated
and used
 With some stiff penalties and liabilities
 Eg:
 EU GDPR: upto 2% to 4% of global turnover
 Most countries have criminal liabilities

20. So Who Owns What Data?
15-Feb-17Arrka Consulting - Confidential
20
Dedicated
3rd Parties
3P’s using their
own platforms/
products
Personal Data
Personal Data
3P’s own usage
4th
Parties
Where Does
Accountability lie?
Who takes on the
liabilities?
Who carries the
reputation risk?

21. What can go wrong?: InMobi
15-Feb-17Arrka Consulting - Confidential
21
 One of the world’s largest Mobile Ad Network
 Tracked a customer’s location using surrounding wi-fi networks
 EVEN when the customer had turned off location services on her mobile
 Hauled up and fined by the US FTC
 InMobi: Basically from India!

22. What can go wrong: Silverpush
15-Feb-17Arrka Consulting - Confidential
22
 A technology that tracks ‘audio beacons’ from Televisions
 Captured on a mobile device
 Sent to a central server
 Profiles what exactly you have watched on tv
 Feeds to ad networks to deliver ads
 Not even a standalone app
 Embedded in other mobile apps
 Hauled up by US FTC

23. Think of this scenario
15-Feb-17Arrka Consulting - Confidential
23
 Your organization ties up with a third party to co-brand a mobile app
 Hosts it on the third party’s platform
 Third party uses the data from the customer to do analytics and sell
to an ad network
 Meanwhile, your orgn has promised the customer that you wont sell
her personal data to anyone
 What happens in this scenario? Who is accountable?

24. To Summarise
15-Feb-17Arrka Consulting - Confidential
24
Data Leakage
related risks
Data Accountability
related risks
Risks from the
Social Media Ecosystem

25. What can you do to address this?
15-Feb-17
25
Arrka Consulting - Confidential

26. What can you do to address this
15-Feb-17Arrka Consulting - Confidential
26
 Create Awareness
 That these risks exist
 They are real
 They are an integral part of business – not a ‘tech-only’ problem
 They have to be urgently addressed
 Assess
 What is your organization’s risk exposure vis-à-vis the social media
ecosystem
 Assess the gaps

27. What can you do to address this
15-Feb-17Arrka Consulting - Confidential
27
 Review existing programs/ initiatives that address these risks
 Likely that existing risk management initiatives may be addressing some parts of
these risks
 Initiate new programs/ initiatives to take care of unaddressed gaps
 Do this on a continual basis
 Pace of change is explosive
 Risk profiles keep changing
 Global developments affect local ecosystems- although you may not be dealing
with outside markets

28. 15-Feb-17Arrka Consulting - Confidential
28
 It is an exciting world out there….full of opportunities….just make
sure you have your risks covered as you make the most of the
opportunities

29. Shivangi Nadkarni, CISA, DCPP, CIPT
Co-Founder & CEO – Arrka Consulting
shivangi.nadkarni@arrka.com
www.arrka.com
@shivanginadkarn
Questions?
15-Feb-17
29
Arrka Consulting - Confidential