Post on 20-Mar-2017
transcript
SOCIAL MEDIA: WHY SHOULD IT BE ON YOUR AUDIT PLAN?
Shivangi Nadkarni, CISA, CIPT, DCPP
Co-Founder & CEO – Arrka Consulting
The Social Media Ecosystem
15-Feb-17Arrka Consulting - Confidential
2
This is a placeholder text.
It can be replaced by your
own one.
Communication Apps:
Gmail, Skype,
Whatsapp...
Organizational
sites, apps,
games, pages
Games,
Interactive
Media
Popular Apps:
Facebook, Linked In,
Twitter...
The Risks: Category #1
15-Feb-17
3
Arrka Consulting - Confidential
How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
4
Twitter:
Who: Their own CFO – Anthony Noto
What: Accidently tweeted instead of sending a private message
What was it about: An M&A plan
"I still think we should buy them. He is on your schedule for Dec 15 or 16 -- we will need to sell him. i have a plan.“
How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
5
Across Social Media:
Who: UK Armed Forces
What: Disclosed details of Britain’s submarines, posted videos of people & equipment in Afghanistan & Libya, details of sensitive visits, etc
How things can go wrong
15-Feb-17Arrka Consulting - Confidential
6
…Am sure each of you has a story to tell from your own organization…
Data Leakage on Social Media – How?
15-Feb-17Arrka Consulting - Confidential
7
Leakage
The DELIBERATE
The VICTIM
The ‘OOPS’!
Data leaked by mistake• Very Common• Eg: putting great details in Linked In profiles,
uploading sensitive documents on public cloud, posting internal plans on Facebook, etc
The Malicious Insider
Victimised by Cybercrime• 40 percent of social media users have
fallen victim to cybercrime• One in six users believe their accounts
have been compromised*
* Norton Study
At the Organizational Level
15-Feb-17Arrka Consulting - Confidential
8
Impersonation/ spoofing of organization’s properties
Fake pages, handles etc
Fake domains
Fake apps
The Risks: Category #2
15-Feb-17
9
Arrka Consulting - Confidential
When you are Online – what happens in the background?
15-Feb-17Arrka Consulting - Confidential
10
Types of data collected:- Device id, location data, browser history, your OS, - Anything else you may have given ‘permission’ to
access – eg, contact info, etc
Your Profile & Identity is built
What happens to this data?
15-Feb-17Arrka Consulting - Confidential
11
ANALYTICS is done on this
SOLD to data networks/ ad networks/ other agencies
-Who use it to sell products & services to you
Used to SYNC UP with other channels to do omni-channel reach
Fed into ALGORITHMS and used to make automated decisions about you
In Short, When You Are Online….
What happens when you use a mobile app?
15-Feb-17Arrka Consulting - Confidential
13
You give ‘Permissions’
What happens when you use…
15-Feb-17Arrka Consulting - Confidential
14
APP or Website
Gets access to your account
So How and Why is all this relevant to an organization?
15-Feb-17
15
Arrka Consulting - Confidential
15-Feb-17Arrka Consulting - Confidential
16
Your organization is engaging in all these digital interactions
Online
Mobile apps
Applications like FB/ Instagram/ Linked in/ etc
Data: Today’s Reality
15-Feb-17Arrka Consulting - Confidential
17
Explosion of Data
• Tracking• Online Behavioural
Advertising (OBA)• Ad / Data Networks
Individuals as Data
Generators
Social, Mobile, Analytics,
Cloud, IOT…
Personal Data is the New Currency
Types of Personal Data
15-Feb-17Arrka Consulting - Confidential
18
PERSONAL DATA
Knowingly provided by a user
Unknowinglyprovided by a user
Observed DataDerived or Inferred
Data
Harvested From 3P sources
Eg: Filling in account details
Eg: Device identifiers,
Location Data, etc
Eg: Data generated from analysis and/or deploying
algorithms. Like online behaviour profiles
What does the law say?
15-Feb-17Arrka Consulting - Confidential
19
Data Protection & Privacy laws in most countries: Define personal data to include all device data, meta data, location data,
etc Anything from a device that can be used to identify an individual
The laws have some strict curbs on how this data should be treated and used With some stiff penalties and liabilities
Eg: EU GDPR: upto 2% to 4% of global turnover
Most countries have criminal liabilities
So Who Owns What Data?
15-Feb-17Arrka Consulting - Confidential
20
Dedicated 3rd Parties
3P’s using their own platforms/ products
Personal Data
Personal Data
3P’s own usage
4th
Parties
Where Does Accountability lie?
Who takes on the liabilities?
Who carries the reputation risk?
What can go wrong?: InMobi
15-Feb-17Arrka Consulting - Confidential
21
One of the world’s largest Mobile Ad Network
Tracked a customer’s location using surrounding wi-fi networks
EVEN when the customer had turned off location services on her mobile
Hauled up and fined by the US FTC
InMobi: Basically from India!
What can go wrong: Silverpush
15-Feb-17Arrka Consulting - Confidential
22
A technology that tracks ‘audio beacons’ from Televisions
Captured on a mobile device
Sent to a central server
Profiles what exactly you have watched on tv
Feeds to ad networks to deliver ads
Not even a standalone app
Embedded in other mobile apps
Hauled up by US FTC
Think of this scenario
15-Feb-17Arrka Consulting - Confidential
23
Your organization ties up with a third party to co-brand a mobile app
Hosts it on the third party’s platform
Third party uses the data from the customer to do analytics and sell to an ad network
Meanwhile, your orgn has promised the customer that you wont sell her personal data to anyone
What happens in this scenario? Who is accountable?
To Summarise
15-Feb-17Arrka Consulting - Confidential
24
Data Leakage related risks
Data Accountability related risks
Risks from the Social Media Ecosystem
What can you do to address this?
15-Feb-17
25
Arrka Consulting - Confidential
What can you do to address this
15-Feb-17Arrka Consulting - Confidential
26
Create Awareness That these risks exist
They are real
They are an integral part of business – not a ‘tech-only’ problem
They have to be urgently addressed
Assess What is your organization’s risk exposure vis-à-vis the social media
ecosystem
Assess the gaps
What can you do to address this
15-Feb-17Arrka Consulting - Confidential
27
Review existing programs/ initiatives that address these risks Likely that existing risk management initiatives may be addressing some parts of
these risks
Initiate new programs/ initiatives to take care of unaddressed gaps
Do this on a continual basis Pace of change is explosive Risk profiles keep changing Global developments affect local ecosystems- although you may not be dealing
with outside markets
15-Feb-17Arrka Consulting - Confidential
28
It is an exciting world out there….full of opportunities….just make sure you have your risks covered as you make the most of the opportunities
Shivangi Nadkarni, CISA, DCPP, CIPT
Co-Founder & CEO – Arrka Consulting
shivangi.nadkarni@arrka.com
www.arrka.com
@shivanginadkarn
Questions?
15-Feb-17
29
Arrka Consulting - Confidential