PrivSec Risk in Focus took a global audience to the core of debate concerning data protection, risk and security yesterday.
Created in partnership with Microsoft, the one-day livestreaming experience saw 15+ risk leaders and subject-matter experts discuss global challenges and opportunities on the risk landscape.
Seven content-rich sessions brought viewers up to speed on trends, technologies and topics that are hitting business communities today. Thought leaders and industry professionals revealed how business leaders can understand and mitigate key areas of risk exposure.
The day’s first session put international data transfers under the microscope.
Transferring personal data out of “adequate” GDPR jurisdictions is arguably the most complex and time-consuming problem in data protection, particularly since the invalidation of the “Privacy Shield” framework in June 2020.
Even with fresh guidance from the European Data Protection Board (EDPB) and new sets of standard contractual clauses, many unanswered questions remain.
Anne Joséphine Flanagan, Data Policy & Governance Lead, Centre for the Fourth Industrial Revolution, World Economic Forum, said:
“Even if we look at how much the world has changed since the pandemic, the reality of it and the implications of data flows look very different to what they did previously.”
“Data is seen more as a consumer issue in the US, whereas in Europe it’s a fundamental human right. Getting the language concrete, whatever the agreement is will be concrete to success.”
Lori Baker, VP, Legal & Director of Data Protection, DIFC, said:
“In the end, the same principles apply to data transfers no matter what jurisdiction they’re in. We evaluate EU countries even though they’re all subject to GDPR, but they don’t all agree that each other is getting it right. We cannot say in any jurisdiction that companies have 100% compliance.”
Scott A. Warren, Partner, Squire Patton Boggs, said:
“I think the biggest challenge is that there’s so many different laws in the data privacy space. Across the APAC region, Japan, Korea etc. – all of these different places have a new law that is in some ways GDPR-like and some ways not, and it’s really different how you need to handle data in those places.”
Manisha Aurora, Global Privacy Legal Advisor, Axiom, said:
“There are smaller companies who are really evaluating whether it’s worth doing business in some countries because the cost of compliance is too much.”
The following panel debate explored the creation of an insider threat programme and how businesses can build an effective and systematic framework to mitigate risk.
Jonathan Craven, Privacy and Compliance Lead, iRhythm Technologies Ltd, said:
“There are always going to be external bad actors, but from my experience the vast majority of issues come from people doing the wrong thing, and more often from them being not aware of [the risks]. The vast majority of data breaches are down to human error. We don’t want to just focus on those people that have malicious intent.”
“A lot of staff feel that it’s not their problem, that IT is an IT problem. And this is part of that cultural awareness raising process, it’s important make everyone in your organisation aware that they also have to play their role,” Craven added.
Idayat Ibraheem, Cybersecurity Compliance Global Black Belt | EMEA, Microsoft said:
“You need to be able to detect a malicious attack and an accidental error. One of the best practices is to look at the human aspect.
“One of the many important things is understanding the importance of contextual training. Do you have the policies in place to understand your data and what you’re doing with it?”
Alexis Perdereaux-Weekes, Associate Reserch Fellow, Americas Institute for Cybersecurity Leadership, said:
“Every organisation that becomes part of your network is a risk and a threat, and so they should be part of the risk detecting process. You have to expand your umbrella to everyone involved in your network.”
In the afternoon, “Improving Organisational Resilience” considered best practice for resilience management, with experts discussing how their appreciation for the issue has strengthened over the course of a chaotic past few years.
Bill Mew, Founder and CEO, Crisis Team, said:
“I’m not sure that any of us took seriously the warnings of Trump, Brexit or Putin so we’re not very good at taking the organisational risk seriously.
“In order to be truly organisationally resilient, you need to be crisis prepared. There is a point at which you need to raise the alarm and you probably need expert support; probably you’ll need to identify who those support people in an emergency.
“One of the issues here is that you can have any number of tech teams, but people don’t think about the other dimensions, at some point you’ll need to go to expert counsel for expert opinion.”
Magdalena Avanesian, CIPP/e, BSc. LL.B., Founder, Legal Counsel & Privacy Officer, The Tech Lawyer, said:
“I think one of the big issues inside of companies is that there is a lack of communications within the departments.
“Building the bridge is important. I love the principle-based idea and I wish we could implement this in companies within our policies. We really need to work on getting the management on board because this brings awareness,” Avanesian concluded.
Glen Hymers, Head of Data Privacy and Compliance | Data Privacy and Compliance Team | CDIO Directorate, Cabinet Office, said:
“The biggest thing here is organisations not understanding what it is they’re trying to make resilient: the data, the infrastructure or the organisation as a whole?
“The risk register becomes that living document with which you drive your area of the business. People operating within siloes within organisations are not talking together and not working together as a team, and this hampers the organisation and works against resilience,” Hymers added.
“We need to work together across organisations and break down those siloes to make organisations more resilient. It isn’t just about data, it’s not just personal data; it’s all of the data. We work in an online environment and no one has paper anymore, where does that information go? It sits in a drive somewhere,” Hymers continued.
The study into resilience was followed up by a talk by Talhal Mir, Principal PM at Microsoft, concerning how to intelligently investigate and take action on insider risk.
Talhah Mir shared the importance of understanding data activity in your organisation, establishing inside risk standards and policies, and investigating high-risk users, and how to do this with Insider Risk Management in Microsoft 365.
Mr Mir explained how “93% of the organisations” polled by Microsoft said that they are “concerned about insider risk.
“This is becoming more and more a priority in this day and age,” Mr Mir said.
“43% of the employees surveyed said they’re more than likely to change their job in the upcoming year. Over half (52%) of the workers are considering a switch to hybrid or remote work. This could set the perfect storm for insider risk, as this means the data is moving with them,” Mr Mir continued.
“When it comes to insider risk management, there’s three key things you want to do: Firstly, understand your insider risk and environment so that you can quantify and analyse your risks. Secondly, set up the rules and alerts you need to understand your threats to help you mitigate that, and this is where policies come into place; Thirdly, investigate and mitigate those risks you identified,” Mr Mir added.
In the evening sessions, experts at Risk In Focus turned their attention to third-party due diligence – a vital part of compliance and lowering of risk exposure.
Angelica Gutierrez Navarro, Data Privacy Manager, PepsiCo, said:
“We need to think how risky this activity is for the privacy of our customers, and for the privacy of our consumers. We don’t have a choice – we need to always run an assessment.
“Once we have this basic understanding of the activity, a basic flow of how the data flows between third parties and processes, we are dictated by law what we need to assess in depth,” Angelica Gutierrez Navarro added.
“It’s not a matter of signing contracts and signing documents, we need to have a discussion and after the discussion it’s then clear to us what our role is and the responsibilities that we need to accomplish. It’s a conversation we need to have with our third parties,” Angelica Gutierrez Navarro continued.
Wisdom Aveh, Security & Privacy Consultant, Perceptive Risk, said:
“Personally, if I want to look at third parties, we are not looking at the smaller or larger the company. But sometimes we need to be more pragmatic.
“When it comes to data privacy risk aspect, risk is risk and data is data. We need to ensure that the right processes are there,” Wisdom continued.
Constantine Karbaliotis, Counsel, nNovation LLP, said:
“Data risk isn’t associated with the size of the organisation, it’s the data, how much data, how sensitive it is, the processes for processing.
“One of the key areas that you can help your vendors is to communicate your requirements early on. It will help you as a client organisation if you weed out what your expectations are. I don’t think it’s a matter of size, it’s capacity that they can demonstrate the right controls.
“We are talking about the concept of our organisation’s willingness to absolve risk when it comes to third parties; it’s important to bring it back to our internal policies. We’ve got to know [whether] certain things are encrypted; what’s their key management? You do have to dig a little bit beyond what has been presented to you,” Constantine Karbaliotis concluded.
In the final session of the day at Risk In Focus, guest speakers looked at AI as a risk vector.
Automated AI systems are driving efficiency and effectiveness in millions of businesses. But regulators are drawing up new rules on automated decision-making, and the public is increasingly aware of the inherent bias that machine-learning systems can exhibit.
Odia Kagan, Partner and chair of GDPR Compliance and International Privacy, Fox Rothschild LLP, said:
“It’s interesting that the US is trying to introduce measures that are similar to the GDPR, while the EU is at the same time trying to change and distance itself from them.”
Discussing the risks that organisations face when embracing AI technologies, Joseph Davis, Chief Security Advisor, Microsoft, said:
“If you think about what AI really is, it’s about algorithm. The risks we have seen is that AI is going against unbalanced data sets, often built-in bias. We have seen organisations putting blind faith in third party bodies, and we have seen a huge amount of human bias as a result. If the algorithm is not correct, you’re going to get a malicious output.”
Taking place at the ExCel, London 16th & 17th November 2022 #RISK 2022 will examine the changing risk landscape in a content rich, knowledge sharing environment.
#RISK will focus on how a comprehensive GRC programme enables risk leaders, lines of business and the C-suite to mitigate risks, reduce compliance breaches and improve business performance.