Big Data, Big Risks

In the dark recesses of the digital world, sophisticated and intelligent cybercriminals stalk, ready to strike at the first sign of a crack in your security firewall. Daily, these attacks expose vulnerable data, disrupt operations, impact revenue, and create digital harm to organizations and individuals. As data gathering and business analytics have continued to grow globally, data risk has become an increasingly unwelcome bedfellow to day-to-day business. So, what steps can you and your business take now to protect yourselves?

Digital information privacy is top of mind for business analysts, especially for Ramnath K. Chellappa, associate dean, and academic director, MS in Business Analytics. As the Goizueta Foundation Term Professor of Information Systems & Operations Management, he helped coin the term “cloud computing” and continues to investigate the effects of data breaches on consumers and businesses.

Ramnath K. Chellappa

“We like knowing what traffic we’ll face as we leave the office, or how many steps we’ve walked in a day. But all that digital information has a cumulative impact on privacy,” Chellappa says. Though consumers may give out data, consciously or unknowingly, “The whole impact is far greater than the sum of the parts.” He explains, “Suppose a corrupt individual knows a person’s email address. With that basic information, the criminal can find out even more—associated phone apps, physical location details, images from personal life, vacation status. Personalization offers very real convenience, but the flip side is always privacy concerns.” 

On an individual level, “Our entire digital profile is what defines us,” Chellappa adds. “If you put a chip on every device we use and give it an internet protocol [IP] address, that chip generates and shares data. No longer are we just concerned with the physical aspects of being human.”

In addition, ownership of data is often murky and analyzing it unwieldy. Chellappa points out, “Publicly available information is massive. But who owns the rights? How does Google have this information? Are they the legal and moral guardian of it? Now, data can be masked or partially hidden. It can be collated with other data to create new data. Potential violation of privacy is one of the unintended consequences of technology. We don’t know all that the data can do or how it can grow.” Users, he says, don’t know how to claim their data rights. 

Be Cyberwise: Don’t Let Data Thieves Steal Personal Information

Given the onslaught of cybercrime, how can consumers protect themselves? 

“First and foremost,” suggests Jesse Bockstedt, professor of information systems and operations management, “Consumers need to think through who they allow to access their data.” He cautions users to carefully review “Terms of Service” agreements to avoid “signing up for sketchy services that put your privacy at risk.”

Jesse Bockstedt, associate professor of information systems & operations management
Jesse Bockstedt, associate professor of Information Systems & Operations Management

In his ongoing work on digital information, Bockstedt understands the increase in data breaches is concerning; however, several studies have found that the out-of-pocket expense to consumers due to identity theft is about $1,000. “Which isn’t zero, but it’s not like a few years ago when [identity theft] ruined your life and destroyed your credit,” Bockstedt says. 

Email phishing scams can trick users into providing sensitive personal information. “Don’t take the bait,” Bockstedt says. “When an email uses a credit card corporate logo and asks you to update your user information, stop and analyze before acting. Does the message contain typos or odd language? Is the sender’s email address atypical? Does the URL for the link they want you to click look like it will take you to the corporate website? What at first glance may look official, in fact, may be fraudulent.” He advises, “Typically, real companies will not call, text, or email you to ask for private information or your login credentials. When in doubt, call the company directly to make sure.”

Enabling multi-factor authentication, along with installing firewall, security, and anti-virus software on your computer, tablet, and mobile phone will enhance information security. Creating unique passwords individual to each required login is also important. “Password management tools such as 1Password or the password manager in Google Chrome are great tools to help you keep track of everything.”    

As Benjamin Franklin so profoundly stated, “An ounce of prevention is worth a pound of cure.” Bockstedt, too, urges consumers to put data safeguards in place to protect priceless personal information from ending up in the wrong hands. 

Trending: C-Level Focus on Data Privacy

According to the Identity Theft Resource Center, cybercrime, including data breaches and ransomware, has increased 51 percent in just the past ten years. In fact, cybercriminals operate wide-reaching and well-organized enterprises comparable in operations to legitimate businesses. Almost daily, news headlines decry cyberattacks against municipalities, hospital systems, utility and transport companies, retailers, banking and financial service companies, and manufacturing facilities. So, with serious cyber risks so prevalent, what is a business to do?

“Ransomware as a mainstream threat is hard to prevent,” says John A. Wheeler 90BBA 99MBA, global research leader in risk management technology for Gartner. “Threats will continue to grow in number and potential for damage. While you need to focus on prevention, the better alternative is to mitigate the risk. Know that it will come.” 

John A. Wheeler

In past decades, cybersecurity measures were thought to be an extra cost of doing business and were managed primarily by information technology teams. To grow their companies, C-level business leaders are now making greater investments in threat preparation. 

Integrated risk management links corporate strategic objectives, hardware, software, material and digital assets, data, and human capital. Developing an action plan that ties these key metrics together prior to a cybersecurity event allows leaders to better articulate to key stakeholders. “They can no longer lean on just their information technology teams to manage these events,” Wheeler says. “Instead, companies need a solid business continuity plan that includes how to restore data, strengthen digital security, resume business operations, and reassure customers post-event.”

Recovering from a global pandemic has strained business operations and challenged continuity plans. “Too often, boards of directors and senior business leaders will only consider an enterprise risk management view without understanding how business operations factor into risk mitigation at the tactical execution layers,” Wheeler says. “Risk mitigation must be integrated throughout the business for successful recovery efforts.”

Warning: Data Breaches Will Occur

First offered in the late 1990s, cyber insurance is now available to companies as a safeguard against catastrophic loss due to cybercrimes such as hacking or ransomware. “Direct written premiums for stand-alone cyber policies climbed 28.6 percent in 2020 to $1.62 billion,” according to an S&P Global Market Intelligence analysis. While cyber insurance may be expensive, not carrying it can be even more devastating to a business’s bottom line. 

The cyber insurance boom may be driven by fear of unknown assailants and the damage they might do. But is cyber insurance valuable? 

“For midsized businesses, yes,” Wheeler says. He suggests careful review of policy provisions and limits. “The associated services of the policy, such as forensic detection after a breach, ransomware negotiation, customer notification, and post-event care can be invaluable. In addition, once a breach occurs, the forensic technicians can detect exactly where the breach occurred, identify how it proliferated through the organization (including through a third-party service provider), and determine what needs to be fixed.” 

Outsourcing, off-shoring, and cloud-based methodology add complicated layers of risk to business operations. “When data is out of sight and out of mind,” Wheeler notes, “we start to see cracks in the system.”

With onsite and remote workers relying on cloud-based service providers to move and store data, “Companies need to have a firm grasp on where their most critical assets should reside as they relate to the business processes and new product launches. They must understand how the hybrid, offsite work model can affect operations and ensure that the work of those employees central to the organization’s existence is the most secure,” he says. “Organizing assets in a more secure way might mean building in some level of redundancy in both workforce and process.” For small and midsized businesses, this can be a financial and logistical challenge. 

To mitigate long-term data damage, Wheeler recommends a corporate best practice. “Establish a cohesive security program and practices that emphasize integrated risk management to ensure business continuity if—and when—a breach event occurs. Ransomware and hacking are big business. Criminals are not looking to make one big score and walk away. Using ransomware is a recurring revenue stream for these operations. And whatever feeds that business model will lead to the next big threat.”

From the business analytics and data management perspectives, “In just a few short years, everything about information security has changed. Infrastructure now poses legal dilemmas regarding the physical location of data. Going forward, it is especially important to understand that we must make good laws and public policy,” Chellappa says. “Technology is outpacing the lawmakers.” Playing a complicated game of catch-up, leaders weigh consumer privacy against digital piracy in an ongoing battle. “When you have unimpeded access to data or access without enough consequences, the potential for information misuse rises.” 

Chellappa shares a final thought. “As we continue to think about personalization and privacy, we embrace a two-faced chalice,” he notes. “While we certainly need to be fearful and concerned, we also need to be aware that the solution is to not shut down the data collection.” Data management, he says, “will be a much more delicate struggle in the future.”

Read more about how students in the MSBA program learn to interpret data responsibly.