Social media data leakage and data accountability risks

SOCIAL MEDIA: WHY SHOULD IT BE ON YOUR AUDIT PLAN?

Shivangi Nadkarni, CISA, CIPT, DCPP

Co-Founder & CEO – Arrka Consulting

The Social Media Ecosystem

15-Feb-17Arrka Consulting - Confidential

2

This is a placeholder text.

It can be replaced by your

own one.

Communication Apps:

Gmail, Skype,

Whatsapp...

Organizational

sites, apps,

games, pages

Games,

Interactive

Media

Popular Apps:

Facebook, Linked In,

Twitter...

The Risks: Category #1

15-Feb-17

3

Arrka Consulting - Confidential

How things can go wrong…


4

Twitter:

Who: Their own CFO – Anthony Noto

What: Accidently tweeted instead of sending a private message

What was it about: An M&A plan

"I still think we should buy them. He is on your schedule for Dec 15 or 16 -- we will need to sell him. i have a plan.“

How things can go wrong…


5

Across Social Media:

Who: UK Armed Forces

What: Disclosed details of Britain’s submarines, posted videos of people & equipment in Afghanistan & Libya, details of sensitive visits, etc

How things can go wrong


6

…Am sure each of you has a story to tell from your own organization…

Data Leakage on Social Media – How?


7

Leakage

The DELIBERATE

The VICTIM

The ‘OOPS’!

Data leaked by mistake• Very Common• Eg: putting great details in Linked In profiles,

uploading sensitive documents on public cloud, posting internal plans on Facebook, etc

The Malicious Insider

Victimised by Cybercrime• 40 percent of social media users have

fallen victim to cybercrime• One in six users believe their accounts

have been compromised*

* Norton Study

At the Organizational Level


8

Impersonation/ spoofing of organization’s properties

Fake pages, handles etc

Fake domains

Fake apps

The Risks: Category #2

15-Feb-17

9


When you are Online – what happens in the background?


10

Types of data collected:- Device id, location data, browser history, your OS, - Anything else you may have given ‘permission’ to

access – eg, contact info, etc

Your Profile & Identity is built

What happens to this data?


11

ANALYTICS is done on this

SOLD to data networks/ ad networks/ other agencies

-Who use it to sell products & services to you

Used to SYNC UP with other channels to do omni-channel reach

Fed into ALGORITHMS and used to make automated decisions about you

In Short, When You Are Online….

What happens when you use a mobile app?


13

You give ‘Permissions’

What happens when you use…


14

APP or Website

Gets access to your account

So How and Why is all this relevant to an organization?

15-Feb-17

15



16

Your organization is engaging in all these digital interactions

Online

Mobile apps

Applications like FB/ Instagram/ Linked in/ etc

Data: Today’s Reality


17

Explosion of Data

• Tracking• Online Behavioural

Advertising (OBA)• Ad / Data Networks

Individuals as Data

Generators

Social, Mobile, Analytics,

Cloud, IOT…

Personal Data is the New Currency

Types of Personal Data


18

PERSONAL DATA

Knowingly provided by a user

Unknowinglyprovided by a user

Observed DataDerived or Inferred

Data

Harvested From 3P sources

Eg: Filling in account details

Eg: Device identifiers,

Location Data, etc

Eg: Data generated from analysis and/or deploying

algorithms. Like online behaviour profiles

What does the law say?


19

Data Protection & Privacy laws in most countries: Define personal data to include all device data, meta data, location data,

etc Anything from a device that can be used to identify an individual

The laws have some strict curbs on how this data should be treated and used With some stiff penalties and liabilities

Eg: EU GDPR: upto 2% to 4% of global turnover

Most countries have criminal liabilities

So Who Owns What Data?


20

Dedicated 3rd Parties

3P’s using their own platforms/ products

Personal Data

Personal Data

3P’s own usage

4th

Parties

Where Does Accountability lie?

Who takes on the liabilities?

Who carries the reputation risk?

What can go wrong?: InMobi


21

One of the world’s largest Mobile Ad Network

Tracked a customer’s location using surrounding wi-fi networks

EVEN when the customer had turned off location services on her mobile

Hauled up and fined by the US FTC

InMobi: Basically from India!

What can go wrong: Silverpush


22

A technology that tracks ‘audio beacons’ from Televisions

Captured on a mobile device

Sent to a central server

Profiles what exactly you have watched on tv

Feeds to ad networks to deliver ads

Not even a standalone app

Embedded in other mobile apps

Hauled up by US FTC

Think of this scenario


23

Your organization ties up with a third party to co-brand a mobile app

Hosts it on the third party’s platform

Third party uses the data from the customer to do analytics and sell to an ad network

Meanwhile, your orgn has promised the customer that you wont sell her personal data to anyone

What happens in this scenario? Who is accountable?

To Summarise


24

Data Leakage related risks

Data Accountability related risks

Risks from the Social Media Ecosystem

What can you do to address this?

15-Feb-17

25


What can you do to address this


26

Create Awareness That these risks exist

They are real

They are an integral part of business – not a ‘tech-only’ problem

They have to be urgently addressed

Assess What is your organization’s risk exposure vis-à-vis the social media

ecosystem

Assess the gaps

What can you do to address this


27

Review existing programs/ initiatives that address these risks Likely that existing risk management initiatives may be addressing some parts of

these risks

Initiate new programs/ initiatives to take care of unaddressed gaps

Do this on a continual basis Pace of change is explosive Risk profiles keep changing Global developments affect local ecosystems- although you may not be dealing

with outside markets


28

It is an exciting world out there….full of opportunities….just make sure you have your risks covered as you make the most of the opportunities

Shivangi Nadkarni, CISA, DCPP, CIPT

Co-Founder & CEO – Arrka Consulting

[email protected]

www.arrka.com

@shivanginadkarn

Questions?

15-Feb-17

29


mailto:[email protected]

http://www.arrka.com/

Social media data leakage and data accountability risks

Internet