Jake Olcott, VP of Government Affairs, BitSight
Renowned sociologist Ulrich Beck explained “Risk Society” as “Modern society becoming a risk society in the sense that it is increasingly occupied with debating, preventing and managing risks that it itself has produced”. Beck was writing in the mid-eighties, in a post-Chernobyl environment where the globally significant risk consequences of human activity were becoming starkly apparent. Fast-forward to today, and his insight is even more incisive, as we struggle to manage the inherent risks that have developed in tandem with our innovations in technology and digital networks. Preventing, managing and mitigating the impacts of cyber risk – a risk we have ourselves created – is a major challenge for individuals, businesses and nations worldwide.
Business v Personal
As technology constantly evolves, we want to take advantage of it to make our lives easier and more successful. The data we provide to organisations we use for social and business purposes are becoming more important, but at the same time the risk increases. This causes problems for individuals at a personal level, but there are also serious knock-on effects for business and society as the trust on which relationships depend is eroded. Beck observed this, noting that perceptions of risk can alter the future development of systems, technologies and societal structures themselves.
From a personal point of view every transaction and interaction you have with organisations involves sharing personal data, such as your name, address and birth date. This is the same when sharing data online, every time you visit a website, search for or buy something, use social media or send an email. Sometimes you share data consciously and deliberately, by entering it into the website for example, and sometimes data is shared less overtly, through the ever-present cookies and tracking apps that we all tend to authorise without a second thought.
Sharing data helps makes life easier, more convenient and connected, but the data is still your personal property. The price of it getting into the wrong hands can be very high in physical, financial and psychological terms. This includes limitation of an individual’s rights, discrimination, identity theft or fraud, financial loss, damage to reputation and significant economic or social disadvantage.
As Beck predicted, the evolution of this risk has given rise to an intense preoccupation with discussing, managing and preventing it, largely through the implementation of regulations – such as GDPR – designed to protect individual privacy and hold businesses and organisations that collect personal data to account.
Befitting the risk associated with personal data loss, the punishments are severe – multimillion-pound fines, legal ramifications and reputational damage all have a direct impact on the business’s bottom line. They combine to make the consequences of mis-managing this risk as unacceptable to businesses as having data stolen is to individuals. The aim is to try and restore a balance of trust between individuals and business/society that reduces the risks of data-sharing for all involved.
So, in the ever-connected digital world, security risk is inevitable and both customers and businesses are heavily affected. Regulation is one way that society is tackling the issue – creating a “stick” to keep corporations in line. However, Beck has more insight on how “Risk Society” manages itself, describing the development of “a systematic way of dealing with hazards and insecurities induced and introduced by modernisation itself”.
Reflexivity and monitoring
Beck draws heavily on the concept of reflexivity, the idea that – as a society examines itself – it changes itself in the process. Within the social theory of reflexivity sits the idea of monitoring. Monitoring enables us to assess and understand the ways that a new set of practices affect business and people.
The concept of self-monitoring was first introduced in the 1970s, highlighting how it can help people with self-presentation, expressive behaviour, and nonverbal affective displays. The concept provides an important tool for society for both personal and businesses purposes. Self-monitoring is something we are all doing every day to help manage risk. This could be through calorie counting apps to avert ill health, credit rating services to help manage financial obligations or time management for work productivity. All self-monitoring is done as a preventative measure – it is the “carrot” of self-improvement, creating a better, safer life. However, it is fair to say that self-monitoring of personal data privacy remains in its infancy among the general population. Few people take a proactive, systematic approach to maintaining personal data hygiene and security. So, whilst the public still requires education, the business world needs to ensure it is taking the lead in ensuring customer data is protected; this is where security sits in the risk society.
Causes for concern
From the perspective of the public, there is of course no ‘one size fits all’ view on exactly which privacy issues they are concerned about. But the most common themes tend to be the following.
- They want to control their personal data.
- Transparency – people want to know what organisations will do with their personal data.
- Education on the different purposes, risks and benefits of data sharing.
- Reassurance over the security of their personal data; and the specific rights of access, deletion and portable personal data.
As more of the public’s daily lives are spent online and the range of information held about them by organisations increases and is more likely to be processed electronically, this brings in new challenges for enterprises handling the data. Chief among these is the fact that large data repositories are highly attractive to cybercriminals who want to steal and monetise personal information. So how can businesses mitigate the risks in the context of Beck’s risk society? A three-step process of planning, monitoring and metrics can help.
Planning proactively
Understanding that the business operates in a risk society and treating risk as a strategic issue is the first step. The second is to plan proactively for what happens should those risks become reality. For businesses it is important to agree an incident response plan. This should include breach notification within an agreed timescale and the remedial actions to be taken by the organisation. Proactiveness and transparency pays dividends not just in containing a breach from a security perspective but also during post-breach compliance analysis by regulators – it all adds to the awareness that’s essential to operating in a risk society.
Monitoring third-party ecosystems
The threat environment is continuously changing. Any supplier that has passed due diligence yesterday, may not be secure today. This is where the self-monitoring aspect comes in – it has to be ongoing and as real-time as possible to identify emerging threats. The security performance of the business itself and the suppliers that are critical to its operation must be monitored continuously to ensure that customers are protected from service interruptions and data theft. The act of observing allows businesses to refine and inform their risk mitigation activities to reflect the reality of risk society.
Setting success metrics
Looking back at the “stick” of regulation, an important part of compliance is being able to demonstrate that a risk management programme is not just in existence but is understood and endorsed at Board level. Key to this is regular reporting of metrics that link cyber risk to business risk.
Regulations such as GDPR and the California Consumer Privacy Act have highlighted how operating in the risk society is one of the biggest challenges facing today’s business ecosystem. As individuals trust their personal data to businesses with the expectation that it will be protected businesses need to adopt practices of self-monitoring and utilising real-time risk intelligence to ensure that their own security posture and their third parties don’t introduce unacceptable risk into the organisation.
(65)
