In today's SMAC world, the risks from Social Media are manifold - ranging from Data Leakage to Data Accountability. This ppt was made to a conference of Institute of Internal Auditors in Mumbai, India.

1. SOCIAL MEDIA: WHY SHOULD IT BE
ON YOUR AUDIT PLAN?
Shivangi Nadkarni, CISA, CIPT, DCPP
Co-Founder & CEO – Arrka Consulting

2. The Social Media Ecosystem
15-Feb-17Arrka Consulting - Confidential
2
This is a placeholder text.
It can be replaced by your
own one.
Communication Apps:
Gmail, Skype,
Whatsapp...
Organizational
sites, apps,
games, pages
Games,
Interactive
Media
Popular Apps:
Facebook, Linked In,
Twitter...

3. The Risks: Category #1
15-Feb-17
3
Arrka Consulting - Confidential

4. How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
4
Twitter:
 Who: Their own CFO – Anthony Noto
 What: Accidently tweeted instead of sending a private message
 What was it about: An M&A plan
 "I still think we should buy them. He is on your schedule for Dec 15 or 16
-- we will need to sell him. i have a plan.“

5. How things can go wrong…
15-Feb-17Arrka Consulting - Confidential
5
Across Social Media:
 Who: UK Armed Forces
 What: Disclosed details of Britain’s submarines, posted videos of people
& equipment in Afghanistan & Libya, details of sensitive visits, etc

6. How things can go wrong
15-Feb-17Arrka Consulting - Confidential
6
 …Am sure each of you has a story to tell from your own
organization…

7. Data Leakage on Social Media – How?
15-Feb-17Arrka Consulting - Confidential
7
Leakage
The
DELIBERATE
The VICTIM
The ‘OOPS’!
Data leaked by mistake
• Very Common
• Eg: putting great details in Linked In profiles,
uploading sensitive documents on public
cloud, posting internal plans on Facebook, etc
The Malicious
Insider
Victimised by Cybercrime
• 40 percent of social media users have
fallen victim to cybercrime
• One in six users believe their accounts
have been compromised*
* Norton Study

8. At the Organizational Level
15-Feb-17Arrka Consulting - Confidential
8
 Impersonation/ spoofing of organization’s properties
 Fake pages, handles etc
 Fake domains
 Fake apps

9. The Risks: Category #2
15-Feb-17
9
Arrka Consulting - Confidential

10. When you are Online – what happens in the
background?
15-Feb-17Arrka Consulting - Confidential
10
Types of data collected:
- Device id, location data, browser history, your OS,
- Anything else you may have given ‘permission’ to
access – eg, contact info, etc
Your Profile &
Identity is built

11. What happens to this data?
15-Feb-17Arrka Consulting - Confidential
11
ANALYTICS is done on
this
SOLD to data networks/
ad networks/ other
agencies
-Who use it to sell
products & services to
you
Used to SYNC UP with
other channels to do
omni-channel reach
Fed into ALGORITHMS
and used to make
automated decisions
about you

12. In Short, When You Are Online….

13. What happens when you use a mobile app?
15-Feb-17Arrka Consulting - Confidential
13
You give ‘Permissions’

14. What happens when you use…
15-Feb-17Arrka Consulting - Confidential
14
APP or Website
Gets access to
your account

15. So How and Why is all this relevant to an organization?
15-Feb-17
15
Arrka Consulting - Confidential

16. 15-Feb-17Arrka Consulting - Confidential
16
 Your organization is engaging in all these digital interactions
 Online
 Mobile apps
 Applications like FB/ Instagram/ Linked in/ etc

17. Data: Today’s Reality
15-Feb-17Arrka Consulting - Confidential
17
Explosion of
Data
• Tracking
• Online Behavioural
Advertising (OBA)
• Ad / Data Networks
Individuals as
Data
Generators
Social, Mobile,
Analytics,
Cloud, IOT…
Personal
Data is the
New
Currency

18. Types of Personal Data
15-Feb-17Arrka Consulting - Confidential
18
PERSONAL DATA
Knowingly provided
by a user
Unknowingly
provided by a user
Observed Data
Derived or Inferred
Data
Harvested
From 3P
sources
Eg: Filling in
account details
Eg: Device
identifiers,
Location Data,
etc
Eg: Data generated from
analysis and/or deploying
algorithms. Like online
behaviour profiles

19. What does the law say?
15-Feb-17Arrka Consulting - Confidential
19
 Data Protection & Privacy laws in most countries:
 Define personal data to include all device data, meta data, location data,
etc
 Anything from a device that can be used to identify an individual
 The laws have some strict curbs on how this data should be treated
and used
 With some stiff penalties and liabilities
 Eg:
 EU GDPR: upto 2% to 4% of global turnover
 Most countries have criminal liabilities

20. So Who Owns What Data?
15-Feb-17Arrka Consulting - Confidential
20
Dedicated
3rd Parties
3P’s using their
own platforms/
products
Personal Data
Personal Data
3P’s own usage
4th
Parties
Where Does
Accountability lie?
Who takes on the
liabilities?
Who carries the
reputation risk?

21. What can go wrong?: InMobi
15-Feb-17Arrka Consulting - Confidential
21
 One of the world’s largest Mobile Ad Network
 Tracked a customer’s location using surrounding wi-fi networks
 EVEN when the customer had turned off location services on her mobile
 Hauled up and fined by the US FTC
 InMobi: Basically from India!

22. What can go wrong: Silverpush
15-Feb-17Arrka Consulting - Confidential
22
 A technology that tracks ‘audio beacons’ from Televisions
 Captured on a mobile device
 Sent to a central server
 Profiles what exactly you have watched on tv
 Feeds to ad networks to deliver ads
 Not even a standalone app
 Embedded in other mobile apps
 Hauled up by US FTC

23. Think of this scenario
15-Feb-17Arrka Consulting - Confidential
23
 Your organization ties up with a third party to co-brand a mobile app
 Hosts it on the third party’s platform
 Third party uses the data from the customer to do analytics and sell
to an ad network
 Meanwhile, your orgn has promised the customer that you wont sell
her personal data to anyone
 What happens in this scenario? Who is accountable?

24. To Summarise
15-Feb-17Arrka Consulting - Confidential
24
Data Leakage
related risks
Data Accountability
related risks
Risks from the
Social Media Ecosystem

25. What can you do to address this?
15-Feb-17
25
Arrka Consulting - Confidential

26. What can you do to address this
15-Feb-17Arrka Consulting - Confidential
26
 Create Awareness
 That these risks exist
 They are real
 They are an integral part of business – not a ‘tech-only’ problem
 They have to be urgently addressed
 Assess
 What is your organization’s risk exposure vis-à-vis the social media
ecosystem
 Assess the gaps

27. What can you do to address this
15-Feb-17Arrka Consulting - Confidential
27
 Review existing programs/ initiatives that address these risks
 Likely that existing risk management initiatives may be addressing some parts of
these risks
 Initiate new programs/ initiatives to take care of unaddressed gaps
 Do this on a continual basis
 Pace of change is explosive
 Risk profiles keep changing
 Global developments affect local ecosystems- although you may not be dealing
with outside markets

28. 15-Feb-17Arrka Consulting - Confidential
28
 It is an exciting world out there….full of opportunities….just make
sure you have your risks covered as you make the most of the
opportunities

29. Shivangi Nadkarni, CISA, DCPP, CIPT
Co-Founder & CEO – Arrka Consulting
shivangi.nadkarni@arrka.com
www.arrka.com
@shivanginadkarn
Questions?
15-Feb-17
29
Arrka Consulting - Confidential