Avoiding a data breach
Preserving security and privacy for middle market companies
Security and privacy are hot-button issues in the world of technology, but Anthony Hargreaves believes that some companies are only now beginning to understand the risk and potential damage of a data breach.
“Increased awareness is happening,” says Hargreaves, a director at RSM. “For example, leaders of middle market companies see it on the news when a huge corporation suffers a breach. But they’re also identifying; attacks are motivated more by access to data and less by scale. It highlights the fact that their organization could be next.”
Hargreaves says that in the future, the power of middle market companies to attract new customers is going to depend on their ability to preserve the privacy of those customers and their data. He believes that data security and privacy will be key points in a given customer’s decision about whether he or she wants to do business with an organization.
“Having a high level of security awareness will impress customers,” Hargreaves says. “But it will be the company that can show a high level of security and data privacy concern that will win in the procurement life cycle. Additionally, it will be a critical factor in whether a customer sticks with an organization.”
Privacy and security are intertwined, Hargreaves explains. He points out that, in the recent past, employees used to leave their work at the office. But today, the rise of mobile technology, the use of personal devices, incentives to work from home and a 24/7 business cycle mean that the personal and professional lives of individuals are increasingly overlapping.
“People have pictures of their kids on the same laptops that they use to store confidential employer and client information,” Hargreaves says. “So the new challenge is going to be in maintaining both the privacy of the individual and the privacy of the organization at the same time. What is the company’s policy when it comes to protecting the data of its employees, the organization and its customers?”
Hargreaves says that to preserve this delicate balance, and to combat the risk of a severe data breach, companies will invest in everything from additional intrusion detection software and data governance training to more extensive background checks. He adds, however, that in any security system, people will always be the weakest link.
“Tech is easy to configure, monitor and troubleshoot, but people are not,” Hargreaves says. “The irony is that it’s usually not the new hires who cause a security breach. It’s usually employees with a lot of experience. Maybe they get lax because they’ve been in the job for too long. Or maybe they’ve built up a grudge toward their employer and actively want to cause harm. But in any case, most data breaches are not because of a failure of technology, but because of the actions of people.”
Many organizations would benefit from having an independent company handle their privacy and security concerns, Hargreaves says. He believes that a team that specializes in data security and privacy, such as RSM’s, can usually handle the challenges better than a middle market organization can on its own.
“The issues can be complex,” Hargreaves says. “For example, the European Union’s General Data Protection Regulation (GDPR) is causing a major upheaval. The EU’s legal framework is applicable globally to all industries and organizations in an effort to protect European personal data. But—though many companies do not realize this yet—emerging privacy laws are not exclusive to Europe. In the U.S., for example, the California Consumer Protection Act (CCPA) was passed in 2018, and contains similar provisions to the GDPR—and is in some ways even more punitive. A similar tightening of security regulations is evolving globally, with China, Canada, Vietnam and Brazil among the recent examples from just the last 18 months.
Hargreaves notes that these new privacy regulations may also be too restrictive and create conflicts for companies pursuing leading-edge technologies in some circumstances. He gives the example of client data used in blockchain technology, where the record is immutable, by design. This runs contrary to the fundamental privacy principle that data should only be retained for as long as it is needed for the purpose(s) for which it was collected.
“This conflict means that either these privacy regulations will need to be realigned, or a huge technological innovation needs to be adjusted,” Hargreaves says. “So for situations like that, it’s probably best to look to a team with global resources that specializes in those complexities.”
Regardless of which solution a middle market company embraces, the fact remains that privacy and security will be vital concerns for the foreseeable future. Hargreaves believes that businesses must address these issues, and be seen adopting security and privacy issues in a sustainable manner culturally, in order to stay relevant.
“Very soon, we will see a massive reworking of our systems to fit privacy concerns and technological developments,” Hargreaves says. “It’s going to be a fun ride.”