Too many firms risk becoming the next Cambridge Analytica data scandal

22 Mar 2018

Image: Elena11/Shutterstock

The leaders at too many organisations around the world pay scant attention to data privacy and third-party audits, PwC warns.

If online giants such as Facebook – whose lifeline is data – can be compromised, then the worrying implication is that organisations around the world are not doing enough to protect privacy, a new PwC global report warns.

According to the PwC 2018 Global State of Information Security Survey (GSISS), only about half (51pc) of business executives around the world have an accurate inventory of employee and customer data. Less than half (46pc) conduct compliance audits of third parties who handle customer and employee data.

‘GDPR is just around the corner and it is disappointing that the survey suggests that organisations are not doing enough to protect data privacy’
– PAT MORAN

Worse still, only 49pc say their organisation limits collection, retention and access of personal information to the minimum levels necessary to accomplish the purpose for which it was collected.

The finding is all the more damning considering that the entire Cambridge Analytica scandal – which saw 50m users’ accounts potentially used to sway the US elections and Brexit referendum of 2016 – came about through the use of a third-party app.

Closer to home in Ireland, 40pc of Irish CEOs are inadequately addressing cyber breaches, the report found.

Lack of GDPR preparedness is a major problem

Pat Moran, cybersecurity partner, PwC. Image Connor McKenna

Pat Moran, cyber leader, PwC Ireland. Image Connor McKenna

The report, which surveyed 9,500 senior business and tech executives from 122 countries, found that only one in three had started a General Data Protection Regulation (GDPR) assessment at the start of 2018.

GDPR becomes law in Europe on 25 May and brings with it hefty fines of up to €20m or 4pc of global turnover, whichever is higher.

“GDPR is just around the corner and it is disappointing that the survey suggests that organisations are not doing enough to protect data privacy,” said Pat Moran, PwC Ireland cyber leader.

“This is evidenced by the fact that just half of survey respondents around the world have an accurate inventory of employee and customer personal data and only one in three (32pc) had started a GDPR assessment at the beginning of 2018.”

Less than a third (31pc) of 2018 GSISS respondents say their corporate board directly participates in a review of current security and privacy risks.

Moran said: “Leadership involvement is really critical when defining the cybersecurity strategy.

“Organisations of all sizes should boost the engagement of corporate boards in the oversight of cyber and privacy risk management.

“Without a solid understanding of the risks, boards are not well positioned to exercise their oversight responsibilities for data protection and privacy matters.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com