Data – the Good, the Bad and the AI

Data is still often hailed as a company’s greatest asset, but as privacy breach risks continue to climb, Acumentis CFO and Group Executive Director Risk, IT & Privacy, John Wise urges CFOs and finance leaders to reassess the benefits of the data held by their businesses.

“Data may be an asset, but it is absolutely a potential liability, probably your greatest potential liability,” says Wise, who leads finance, risk, IT and privacy at the property valuation company formerly known as LandMark White, having joined in 2016. 

“A lot of companies hold onto private information because it’s seen as ’gold’, particularly for marketing purposes,” he says. “But there’s actually very few organisations that use it well, and many probably don’t use it at all but are holding it ’just in case’. Often, the data used in an aggregated, statistical sense for forecasting can actually be done with de-identified data.”

Those companies holding high-risk private data, such as client’s names, addresses, dates of birth and other identifiers, should reconsider the benefits of doing so, he says.

“Because if you get hacked and it’s leaked, the adverse publicity will likely cause huge negative impacts to your business, even if the people whose data is leaked don’t suffer any actual loss.” 

Hard lessons

Wise’s views were born from the searing experience of a data breach almost five years ago which brought his company almost to its knees.

In February 2019, the then LandMark White announced a cyber security incident had resulted in a dataset being published on the ‘dark web’, containing data relating to a number of the firm’s past property valuations, some of which included personal information of a small number of borrowers, lenders and property agents.

While the company swung responsibly into action, and the leaked data was deemed a “very low risk of harm”, the reputation damage was immediate. The company was taken off the property valuation panels of its major banking partners, causing significant revenue losses and an ASX trading halt. 

“Numerous clients immediately dropped us like a hot potato,” Wise says. “The majority of our revenue at the time came from supporting mortgage valuations for banks, so almost all of that revenue just disappeared overnight.”

He says the company “moved heaven and earth” to attain ISO 27001 certification (the international standard demonstrating the effectiveness of its information security management systems), clients began to return, and the ASX trade suspension lifted.

But just as things were getting back on track, in May 2019, bang, another breach. The company discovered the seemingly “deliberate work of an individual known to the business” (he was later arrested), who’d posted random files from the company on the ‘clear web’. The stolen files didn’t constitute a ‘notifiable data breach’ under the Privacy Act and were quickly taken down from the web, but the market’s response was, again, immediate and brutal.

Breaches on the rise

Acumentis is certainly not alone in its data breach woes. Millions of Australians were impacted during 2022-23 by the biggest data breaches the country had experienced since the notifiable data breaches scheme started in 2018, including hits to Optus, Medibank Private, Latitude Group and Australian Clinical Labs. Almost 900 data breaches were reported in the year, 70 percent of which resulted from malicious or criminal attacks according to the Office of the Australian Information Commissioner. Fourteen of them affected more than 1 million people each.

“Not surprisingly, data breaches are seen as the number one privacy concern by the community,” said Australian Privacy Commissioner Angelene Falk, citing findings from a 2023 survey of community attitudes. It also found 89 percent of respondents want more legislation to protect personal information, a wish set to be granted this year with expected legislative amendments to the Privacy Act that will strengthen data destruction obligations, enforcement powers and penalties.

Outsized actions

In the five years since Acumentis’ breach, Wise says annual revenue has gradually rebounded, but estimates it’s still around $20 million below its previous trajectory. Meantime, the firm has had to rebuild its team (it lost more than 100 staff), raise capital twice, diversify its operations, rebrand and, importantly, completely overhaul its cyber and privacy defences.

“I’ve got no doubt that our IT security is now significantly above the industry average – some of our smaller competitors literally could not afford to spend the money we’ve had to spend,” Wise says. “We’ve had to do this to restore confidence and get the business back on its feet.” 

While IT security has been boosted at all levels – with stronger firewalls, virus protection, encryption and multi-factor authentication “on just about everything” – he says the company has also fundamentally reset its rules around data management.

“A big one for us is we now de-identify all private data 90 days after we’ve completed the job. So, any names, telephone numbers, email addresses, anything like that associated with the job, we run a script and change it all into asterisks. That means, now if somebody hacked our data, there would only be 90 days’ worth of private data, not years’ worth,” he says.

“We also check every PDF that is sent to us by our clients to ensure it doesn’t contain private information that it shouldn’t; if it does, we flag it to the client as a potential privacy breach, delete the PDF and reject the job.

“We run a full bi-annual audit of all our systems, processes and network storage drives so we know what data we store, and where we store it, therefore what we’ve got to protect – and we also audit our key suppliers to understand what data they hold and how they protect it. We’ve implemented minimum required access levels – so, instead of giving a senior person access to everything and then removing access to certain sensitive system the old-fashioned way, we start the other way around and ask, ‘What do they really need access to?’ and only give them access that’s actually needed for their role. 

“Every file is now flagged, indicating whether it’s public, internal, confidential or restricted, and we have different rules for each. For example, the confidential and restricted files can’t be emailed to external parties. We’ve also put limits on extraction sizes for database queries limiting the risk of large quantities of data being stolen. And we have 24/7 monitoring to identify any unusual or unexpected activity across our systems and don’t allow access from locations outside Australia except when expressly approved.”

Importantly, Acumentis runs regular staff training, including annual cyber and privacy training and monthly phishing and other “white hacking” exercises. “We send phishing emails to about a third of our staff each month, from an external party, and use that as part of our reinforcement process – if anyone does click on the link in the email they are taken to a harmless site that reinforces their responsibilities in relation to protecting against phishing and will then be required to undertake additional training.”

AI – helper or hindrance?

While the dangers of artificial intelligence in proliferating data breaches have been well flagged (for example, criminals are using the technology to launch more sophisticated and widespread cyber-attacks), Wise says it can also help with defences.

“We’re automating of a lot of the checks we’ve historically been doing manually,” he says. “We’ve just implemented a piece of software that uses AI to cross-check user access to systems across various parts of our business – for example, it’ll cross-check our HR system with the valuation management system and will alert IT if it finds someone who has access to the valuation system but who’s employment has been terminated per the HR system.”  

Investment payoff

Despite the material level of ongoing investment involved, Wise says it is a fundamental cost for every business that reflects the “existential” nature of the threat. “If you have a major security breach, it’s life threatening to the company, therefore how much should you spend defending that?” he asks.

“The answer should be, as much as you can realistically afford.”

3 key CFO lessons

As legislation rolls out requiring businesses to have risk and privacy officers, Wise believes these responsibilities are likely to sit with many CFOs, particularly in smaller and medium sized businesses, adding to the IT oversight in most CFOs’ remits. His top three tips: 

• Know what data you hold and ask, ‘Why?’: “Do a privacy audit, know what you are holding and where it’s being held,” Wise advises. “Always ask ‘Do we really need it?’. Don’t collect personal information you don’t need, and make sure data that’s no longer needed is deleted or, at a minimum, deidentified.”

• Review data access points and get the number down: “Regularly review who has access to data from an internal security point of view and from third parties, and look at how you’re securing the systems that hold risky data.”  

• Cyber insurance is a must, particularly for the expertise: “There’s probably still a lot of organisations that don’t have it, and it’s getting more expensive each year, but it’s an absolute lifeline,” he says. Beyond covering costs, insurers can also wheel in experts. Referring to Acumentis’ recovery after the 2019 cyber-attacks, Wise noted: “We had a team of about eight senior professionals introduced and funded by the insurance company, for months, working with us side by side. Without them, we wouldn’t have been able to respond so quickly and identify the roadmap to navigate out of the ensuing crisis.”  

John will be speaking at the upcoming CFO Magazine Sydney CFO Symposium on Thursday 8th February at the Sydney ICC > For CFOs and Snr Finance leaders wishing to attend and register, visit: www.NSWCFOSymposium.com