Dealing with Data: balancing the risk and utility of an integral business asset

Data is unequivocally one of the most powerful assets a business can hold – and with great power, comes great responsibility.

 

 

Regardless of the volume, quality or method of acquisition, data deeply influences the ways in which a business reaches its target consumer. It facilitates the acquisition of new customers, influences marketing decisions and is integral in the forecasting of sales trends. It can also help in detecting inefficiencies that may be concealed.  

As always, with benefit comes risk. The data used and stored by businesses is private and sensitive in nature. Without robust cybersecurity and data protection plans, businesses are left vulnerable to data breaches which can pose serious financial and reputational problems.   

We’ll discuss 4 major risks associated with the usage and storage of data, followed by 5 principles to help balance its risk and utility. 

The common risks associated with data 

Data Breaches 

A cybersecurity or data breach can send any organisation rapidly into damage control. The Optus and Medibank breaches of 2022 saw the highly sensitive data of over 20 million Australians was extracted and held for ransom by cybercriminals – including names, addresses, private documents, medical records and much more.  

Breaches can occur internally and externally. Cloud storage is a common, seamless method of data storage for companies. However, poor encryption can leave the data on these external servers vulnerable and exposed to hackers.  This is just one example of how an external data breach can occur. 

Internal breaches occur when an employee allows their credentials to fall into malicious hands – regardless of whether intentional or accidentally. Criminals can then masquerade as legitimate employees, gaining even deeper access to sensitive information over time. 

Breaches of any scale see businesses dragged through lengthy legal proceedings and forced to pay hefty fines and compensation fees. If this isn’t damaging enough, the media spotlight certainly is. 

Downtime, unavailability and backup system vulnerabilities 

Industry 4.0 is all about data – and constantly available, backed up data, at that. Downtime and service unavailability is becoming less acceptable as we evolve. It can hinder the ability of a business to perform during busy periods or deliver when they’re needed most, giving rise to high levels of customer attrition.  

Understanding this, it becomes evident why businesses should bolster their critical data infrastructure and work towards 100% uptime, fit with seamless back up and disaster recovery strategy. As the world’s insatiable hunger for data trends upwards, it’s essential that it – and the systems it upholds – are always available, on a whim. 

Lack of visibility in the business’ data environment 

If you or your teams do not have a clear understanding of the current data environment, it can be almost impossible to identify, respond to or prevent potential data threats. 

The three big questions need to be asked: 

  • Where do we keep the sensitive data? 
  • Who can access this data? 
  • Who consumed specific data records? 

Without a robust internal security system, monitoring records and keeping tabs on access history can be difficult, especially on a large scale. 

Employees who lack end user training 

Unfortunately, the biggest ongoing risk to any organisation are untrained end users. Weak passwords, phishing emails, malware downloads and the unsecure management of sensitive data are all gateways for larger security breaches. 

The best way to mitigate these occurrences is through effective, ongoing training in areas such as cybersecurity and data privacy. Educating them on secure data practices can help them identify cyber-attacks and breach attempts, while increasing their proficiency with the secure tools at their disposal.  

 

Balancing risk and utility of data – the Five Safes framework 

The ABS has adopted and the Five Safes framework, which assists individuals in better balancing the risk and utility of data. It is described as “a multi-dimensional approach” to managing disclosure risk, and is “designed to facilitate safe data release and prevent over-regulation”: 

Safe People 

This considers whether the researcher is appropriately authorized to access and use the data. As the data gets more detailed, so should the level of user authorization.  

Some prerequisites for authorization include: 

  • Training in confidentiality and conditions of data use 
  • Signing of legally binding documentation to maintain confidentiality 

Safe Projects 

What will the data be used for? Is the purpose appropriate? Those who wish to access detailed microdata should be able to explain the purpose of their project, and prove it has: 

  • Valid research aim 
  • A public benefit 
  • No capacity to be used for compliance or regulatory purposes.  

Safe Settings  

It’s essential to know whether the access environment prevents unauthorised use – this entails both the IT and physical environment. 

Sensitive data should only be accessed by secure research centers: 

  • A locked room requiring personal authentication 
  • IT monitoring equipment 
  • Auditing and other supervision 

Safe Data 

Has appropriate and sufficient protection been applied to the data? 

Direct identifiers such as name and address should be removed before release – at minimum. Before release, direct identifiers such as name and address should be removed from the data. There are several other statistical disclosure controls that can be applied, listed on the ABS page. 

Safe Outputs 

Are the statistical results non-disclosive? 

This should embody a final check on the information before it’s made public and aims to reduce the risk of disclosure to a minimum. All data that is made available outside the data custodian’s IT environment must be checked for disclosure.  

 

Conclusion: 

We understand how important it is to keep your people educated on the risks of handling data, as well as safe cybersecurity practices.  

Our suite of privacy and data protection courses can be customised according to the specific needs of your organisation and installed into your preferred LMS: 

Privacy – Australia 

Privacy for Financial Services – Australia 

Privacy for Schools – Australia 

Cybersecurity – Australia 

Cybersecurity – Global 

General Data Protection Regulation (GDPR) 

Sources: