- Security TWENTY
- Women in Security
Compliance is key to customer trust, says Dr Guy Bunker, pictured, Senior Vice President of Products, at data loss prevention product company Clearswift.
From monetary transactions and work emails to exercise routines and selfies, data is exchanged continuously. The sharing of information has become the lifeblood of our everyday lives. Hand-in-hand with this has been the rise in the value of data to businesses. The acquisition of data, which is then conjoined with additional data, is the driving force behind marketing activity, allowing marketers to target individuals on an advanced level through profiles of their data selves. Those individuals may be seen in their professional or their consumer profiles, the blurred line making it possible to target people from either angle to get to the right persona.
The recent Cambridge Analytica revelations have brought to light just how powerful capturing personal data is and how it can have a profound influence when used in ways that had never been foreseen when it was first collected. High-profile stories like this bring into question what exactly businesses can do with personal data and how intrusive it can be. While it was Cambridge Analytica who were at fault, the blame has remained with Facebook as they haven’t looked after their users’ data properly.
The move to delete profiles from Facebook is demonstrative of the attitude being seen on a global basis – people are happy to adopt a laissez faire attitude to their data until the day of a breach, when there is a backlash and consumers demand action to protect their information. This behaviour is backed up by recent findings from Clearswift research which reveals that while 40 per cent of people do not think about how their data is stored, they begin to care when their personal information is compromised, with 85pc arguing that companies are not being punished enough for data breaches. This new understanding is driving a noticeable change in attitude towards data sharing and consent.
In a world where you are linked to your data with every move, people want to be reassured that their information is safe at all times. If it is stolen or compromised, organisations need to be able to show they are doing everything in their power to minimise the impact to the individual and further secure their data. With almost half (49%) of respondents saying that they trust organisations to store their data, this is further evidence that people only start to care when the trust is broken.
GDPR has been talked about extensively over the past year and, as the deadline is fast approaching, people are starting to take notice of the changes that will be implemented and becoming savvier as to what their rights are. Already there are signs that compensation claims for GDPR infringement will take over from PPI claims in the near future. GDPR makes it explicit that data protection is in the hands of the businesses that store it, including any secondary or tertiary holders of that information, so people are now looking to organisations to prove that they have adequate protection to stop security breaches from happening. The same is true for other organisations in the information supply chain, working with a business who has protective measures in place to handle information securely is more favourable than those who don’t. From this perspective, compliance will create business advantage.
Compliance is not just about technology, it needs to begin with people.
The first thing to consider is evolving an information security conscious workforce. Educating employees – in all departments and at all levels, from the CEO to the cleaner – about how to safeguard personal or sensitive information, why it’s integral to compliance and the ramifications of a breach. Introducing regular communications and training sessions around GDPR will help drive an information security culture across the business and lower the risk of a data breach. Sessions should include how and where to safely store this data, how to safely share it across different platforms, how to recognise and what to do if there is an issue.
Processes and policies
Secondly, there must be policies and processes put in place that demonstrate the organisation is doing everything it can to protect personal data. Many organisations don’t know what data they have, where it is held, who has access and how. Being able to answer these questions is essential to protect the data in an effective manner. A data discovery exercise will help the business gain visibility and understanding into flows in and out of the organisation as well as where the information is held. There also needs to be a process around handling a data breach to ensure the strict GDPR notification requirements are met. Publishing policies ensures there remains a level of trust via transparency with customers.
Technology should be used to enforce policies and processes and to keep people safe. Not just customers, but employees as well. It should be used to close any identified security gaps as well as improve efficiency around processes. For example, finding information as part of a ‘right to be forgotten’ request would be extremely tedious and time consuming without some technology to help. Basic measures including anti-virus and regular patching of the OS and applications are still essential, but these can be augmented with other solutions. The next generation of adaptive data loss prevention technologies will also mitigate data breaches, scanning emails and documents for sensitive information and automatically redacting it – both from inbound as well as the outbound communications. Clearswift research reveals 27pc of employees have received an email in error with personal data attached. Under GDPR, unauthorised information arriving into an organisation can be just as problematic as that leaving.
Unfortunately, data breaches impact organisations of all sizes and across all verticals and have almost become a case of ‘when’ not ‘if’. Preparation for a breach ensures that businesses are in a good position to react should an event happen and will be able to show what measures were put in place to protect customers’ data.
Transparency on compliance and high-level security measures will help the general public as well as partners and suppliers recognise that businesses have their best interests in mind. This will build trust, which in turn will give businesses a competitive edge at a time when people have become cynical about how organisations are managing and protecting their data.