Information Security Analyst, Ian Edwards MBCS, discusses what we can learn from the Facebook Cambridge Analytica saga.

Most of you will be very familiar with the recent Facebook-Cambridge Analytica saga. It was virtually impossible to hide from the reports and articles in the news. Ultimately, we’ve seen revelations on the misuse of personal data for over 80 million people.

The highly detailed analytics and processing of personal data has fuelled political campaigns and may have had a significant and potentially result-changing influence.

Impact on a global giant and analytics business

The impact for both companies has been significant. Taking Facebook, for example, Mark Zuckerberg and shareholders saw the company’s value plummet by approx. $40 billion (£28 billion) after the announcement.

The PR and reputational impact has been highly damaging, not only to the Facebook brand, but for Mr Zuckerberg personally. The saga also marked the end of the road for Cambridge Analytica, at least in its current guise.

Public reaction

The initial reports sparked varying levels of public response including people threatening to leave the service. For individuals taking the action, this proved more of a challenge as the option to ‘delete’ a Facebook account is not easily found via the main menus and interface.

For the vast majority of people though, leaving Facebook wasn’t an option they were prepared to take. Life stories have been built up using the service and for many it is an enabler for keeping in touch with loved ones and friends, both near and distant to home.

What can businesses learn from this?

Commercial organisations almost solely rely on their customers to generate revenue and bottom line profit. It is difficult to escape that in providing services and products to these customers, businesses will often work closely with suppliers and third parties. Depending on the type of supplier, customer data is often shared in order to actually deliver the service being provided.

If you or your organisation has been busy working through a GDPR programme, chances are they have now mapped out key vendor relationships where personal data is processed. What measures are in place to review these relationships and the systems involved?

What can businesses do to protect themselves?

Businesses should take a ‘trust and verify’ approach towards their business partners. This way it is possible to ensure they are doing everything they can to protect shared data. Third parties must be held accountable in contracts and adhere to the same levels of requirements and regulation that may be applicable to your own business. The recent scandal highlights the importance of the entire relationship lifecycle.

1. The initial discussions and negotiation

This is the first opportunity to understand the security posture of a third-party by requesting copies of attestations of compliance, technical details and perform high-level assessment of their setup.

  • How do they store your customer’s personal data?
  • What is their service level agreement or response time for incidents?
  • What security and protection do they have in place to keep personal data safe?
  • What mechanisms do they have in place to transfer data to and from your organisation?

2. Contracts and initial assurance

Next up, it’s the turn of the legal pros to ensure the contracts are written in the interest of your organisation and more importantly your customers and their data. The involvement of security and IT is important here - there are many technical clauses and requirements that can be included or removed from contracts.

At this stage you may want to carry out an audit or send a questionnaire to the new supplier. This is where you can grill them in more detail and ask specific information security and technical questions. If any gaps are identified, these can be worked towards. If remediation isn’t possible and the risk to customer data too large, then the relationship can be ended without contractual penalty.

3. On-going assurance and audit

OK, let’s say a year has gone by and the relationship is going well. Not much has changed for the business and the service provided needs to continue. Chances are the security and threat landscape have changed somewhat and there may be updated laws and regulation applicable to your business. Do you know if your supplier has done anything about this?

Maintaining regular supplier assurance is the key to keeping on top of potential gaps and the risks they might generate. Essentially this is a full-time work stream for larger organisations or those with a large volume of contracts and suppliers.

4. Termination of contract

If for any reason a service is no longer required, or the supplier no longer offers the service, contractual discussions begin to hopefully come to a mutually agreeable position. Both sides part ways, but don’t stop there.

What about all that company and customer data the supplier has in their data centre? Having a specific clause in the contract would be useful, but also include following up and verifying the supplier has purged and securely destroyed all data, if no longer needed.

The performance of assurance activities on third-parties improves not only your own organisation’s security posture, but the supplier too, whilst potentially reducing the risk of cyber threats and data breaches.

How can individuals react to saga and protect themselves?

Cambridge Analytica are far from the only organisation who have exploited data in such ways. There are plenty of other businesses and individuals who are out there mining data. This is evident through the likes of mobile games, apps and quizzes, commonly seen on the Facebook platform.

When was the last time you or a family member came across a ‘find out what type of person you are’ app or game? Chances are this was not that long ago. If such an app is featured on Facebook it may ask for specific permissions to your profile and given this, potentially scope data about you and your connections. Worse still, an app may be solely malicious and use the access granted to send out spam messages or perform other unscrupulous tasks.

Ultimately, it is down to each of us to control who or what we give access to on our personal profiles on services like Facebook. We must think twice before signing up to games, quizzes and other third-party apps. Consider and approach with caution, noting carefully what information they ask for - do you really want or need them to have access to that data?