The EY Global Integrity Report 2020 highlights that despite companies having more data, they face significant gaps in effectively protecting it.
A fifth of respondents in our EY Global Integrity Report 2020 (pdf) suffered a major cyber security breach in the preceding year. Cybercriminals do not discriminate based on geography — our results were similar across developed (19%) and emerging markets (23%) — and with 21% of all respondents confirming that they have suffered a major data loss event, organizations must ensure data is safeguarded effectively.
An exponential increase in the volume of data that organizations hold over the last decade has driven the emergence of new business models that utilize data analytics, artificial intelligence (AI) and automation. COVID-19 has accelerated this trend as companies have had to adapt and fast-track digital transformations of their operations to meet the increasing demands of data-driven services and products.
While advanced technologies such as AI can provide valuable insights for corporate decision-making and monitoring business integrity, they also pose significant risks. For instance, AI algorithms may be able to monitor job performance by sifting through an employee’s social media posts or emails, but this type of use can violate privacy regulations and raise ethical concerns. Failure to adequately protect data creates vulnerabilities that can run afoul of both corporate values and rapidly evolving regulatory compliance obligations.
“Companies committed to integrity should examine new technologies thoughtfully, implement them carefully and educate employees for their ethical use,” recommends Todd Marlin, EY Global Technology & Innovation Leader for Forensic & Integrity Services.
There’s more to be done in managing data effectively — and our survey reveals some compelling insights in this regard.
74% of respondents expect enforcement of data protection laws will increase in the future.
Implications of change
In a rapidly evolving economy with growing regulatory requirements and scrutiny, organizations will need to be more cautious in how they collect, maintain and use data to ensure compliance without compromising critical business operations. It is also imperative that organizations are conscious of potential workarounds or operational shortcuts that employees may implement to overcome perceived unnecessary barriers.
All organizations are facing increasingly sophisticated attacks from cybercriminals who seek to steal data to expose data security failings, profit from the sale of data or encrypt it for ransom. A data breach can paralyze operations or even put smaller companies out of business. Over the last decade, firms that failed to safeguard their customers’ information have eroded public trust and suffered huge damages resulting from regulatory fines, litigation, reputational loss and shrinking revenues.
Cybercriminals trying to exploit the fears and uncertainties around the virus have stepped up phishing and ransomware attacks, increasing the risks for organizations already struggling to operate during a pandemic. The rapid shift to employees working remotely has made cybersecurity an even bigger challenge — one that organizations had little time to prepare for. Already we have seen such attacks on various sectors including health care organizations.
35% of respondents believe current data protection and privacy legislation is a barrier to success in business
Providing the right knowledge and training to safeguard data
It’s critical to develop and implement a cyber breach incident response plan, alongside employee training, considering that most ransomware attacks occur when an employee clicks on a fraudulent email link or attachment. However, our survey shows that 62% do not have such plans in place and less than half (49%) are adequately trained.
A comprehensive response plan that is enacted quickly after an incident has shown to significantly reduce the impact and financial costs of a breach. Concerningly, most respondents say their organizations fail to follow many recommended practices for safeguarding data. Fifty-nine percent do not train employees on their data integrity responsibilities. This training deficit is reflected in the lack of knowledge about data integrity, even among the many employees working in legal, compliance and IT functions.
Users are the gatekeepers to data and own the credentials that cybercriminals target.
This lack of knowledge could give rise to internal data breaches, where unwitting employees fall victim to social engineering attacks or circumvent data protection policies by downloading sensitive company data onto their personal devices while working from home.
Many survey respondents also report a lack of knowledge about their companies’ own security procedures. Almost three in ten (28%) said that they know little to nothing about their organization’s policies and procedures for keeping its premises, equipment and networks secure. The same percentage (28%) also admitted knowing little or nothing about policies and procedures for allowing employees to access data.
The failure to educate employees on protecting data is surprising considering that respondents named cyberattacks as the greatest risk to the long-term success of their organizations. The reality is organizations should be doing more to safeguard data — 2019 was a record year for breaches, with more than 15 billion sensitive records exposed, according to Risk Based Security1.
Organizations are increasingly adopting AI, analytics and automation technologies in their compliance programs. These tools can help an organization operate ethically by detecting and even predicting instances of fraud, corruption and theft within the enterprise and among third parties. Tools like machine learning can also be used to protect data more effectively – for example, by reducing the number of false positives in security alerts and automatically blocking malware.
How to safeguard data with integrity
Actions to take now include:
- Promote a culture of data integrity that encompasses both the organization and its supply chain, strengthened with regular communications and training
- Refresh training to take account of new working environments and regulations and roll out to workers across all functions, positions and seniority levels
- Utilize advanced technology as part of an effective compliance program to monitor business activity and flag potential risk areas — for example, as part of a cyber breach response plan to detect and quantify data that may have been lost
- Perform a risk assessment when introducing new advanced technologies that incorporates ethical scenarios where data integrity may be compromised
Front-line individuals must be equipped with the right knowledge and training to safeguard data. However, 59% of respondents say they are not trained on their data privacy responsibilities. This is surprising given 74% expect enforcement of data protection laws to increase in future. And while cyberattacks were cited as the greatest risk to the long-term success of their organization, 62% do not have a cyber breach incident response plan in place. Advanced technologies for managing data alongside employee education initiatives have a greater role to play.