Digital Trust

While consumers have happily shared personal data on social platforms in return for greater connectivity and shared experiences, recent news about data harvesting has caused alarm. Many companies that rely on consumer insight are rethinking how to build digital trust and make it sustainable.

A study of 25,000 consumers across 33 countries, the majority of  92 % of which are U.S. consumers say it’s extremely important that companies protect their personal information. Another 79 % say it’s frustrating to realize that some cannot be trusted to use it appropriately. Lack of trust is one of the biggest reasons consumers switch companies.

And with the General Data Protection Regulation (GDPR), a regulation intended to strengthen data protection for EU citizens and let individuals decide which brands can use their personal data, good data stewardship is becoming critical to the success of every business globally.

The Importance of Insight

The ability to process personal data is critical to business in the digital age. Data-driven organizations rely on customer insights to help inform the development and design of products and services, the overall customer experience, and marketing strategy. From demographics to personal preferences, customer data allows companies to deliver hyper-relevant products, services, and experiences.

Some companies have built entire business models around the sale of anonymized personal data. Technology is creating opportunities for businesses to understand their customers on a deeper level and monetize this knowledge. Biometric, visual, genomic, and device data can allow ever-increasing degrees of personalization.

Personal data is a currency no business can afford to risk.

Earning Digital Trust

To earn digital trust, organizations' leaders have to eliminate anything that jeopardizes it. Companies looking to future-proof their customer data supply should take these measures:

• Deliver on their commitments. 83 % of U.S. consumers say it’s extremely frustrating when companies promise one thing but deliver another. An organization’s commitment to delivering promised experiences and meeting customers’ expectations is paramount to earning trust. Successful companies understand their baseline level of trust and eliminate issues or offers that detract from the trust. Otherwise they must reset their parameters.

• Establish rigorous governance. The only way trust can become sustainable is by establishing a rigorous process and a robust, cross-functional governance structure to continuously measure trust and hyper-relevant effectiveness and acting on the findings. Please see our posts on Information governance.

• Give customers full control over their data. As customers demand greater control over how companies use their personal information, organizations must become more transparent. Customers must be given full access to, and control over their data, which will demonstrate responsible stewardship and ethics. Furthermore, they must ensure that the appropriate safeguards are in place to protect it.

Some companies may look to adjust their profit models and potentially charge for services (i.e., “pay for privacy”) so customers are explicitly aware of the value being exchanged. That way companies could make money on direct interactions with customers as opposed to the derivatives of those interactions (i.e., selling insights or advertising). Or they could move from an information exchange relationship to a more classic view of understanding what customers need and having them pay for it.

More companies will undoubtedly assess their existing propositions and the economic viability of new models. But the question remains as to whether the underlying information and experience will become something that is merely expected, rather than something that customers would be willing to pay for.

The Path Forward

Digital trust is only sustainable when companies establish a rigorous process and governance structure. Most importantly, digital trust must be managed as the critical growth enabler it is. Companies will inevitably look to capture new categories of customer data such as biometric, geolocation, even genomic data in their drive for greater relevance. Customers' concerns will inevitably rise, so it’s critical that companies have strong data security and privacy measures in place, give customers full control over their data, and, crucially, are transparent with how they use it.

We have successfully implemented data security and data privacy in many organizations. Please contact us today for a free consultation.

Information Security

Data is not just critical to business it is core. It is the essence of a company’s function. Big data is a major part of that flow, and the more customer data that is out there, the more it needs protection.

As big data gathers momentum, incorporating security into planning and processes in the early stages of a project are becoming more important. The big data revolution is just getting started and will present major security challenges if its data management is not carefully planned.

Formerly the exclusive domain of IT, information security has now become the domain of everybody including content and knowledge managers.

Major retailers and government agencies have suffered data breaches, denials of service and destructive intrusions. Millions of individuals have been affected, and organizations are now forced to devote more resources to prevention and remediation. Everyone in a company, from consumers to CEOs, has become acutely aware of the hazards of failing to protect information.

Every business user and anyone accessing data needs to be aware of it. The advent of the mobile worker and the proliferation of cloud technology have added a new dimension.

People want to run their businesses on a tablet, and they can do that but information managers need to understand how to do it safely. Much of the data in an enterprise exists only at endpoints, which increasingly are mobile devices.

According to a study by IDC, 75% of the U.S. workforce is mobile, with most of those employees having more than one mobile device. But those devices are at risk: about five to 10% of laptops are lost each year, according to a study from Ponemon Institute, and about one-third of them contain unencrypted sensitive or confidential data. In another study, one in six respondents reported having a mobile device lost, stolen or destroyed. In addition, a lot of intellectual property is stored on mobile devices, and in the event of litigation, the company has to be able to locate it.

Despite the convenience of mobile devices, their use creates well-recognized conflicts with security, especially in the face of increased frequency of BYOD (Bring Your Own Device).

Even when users hold onto their devices, security is far from guaranteed. Data is becoming more dispersed and fragmented. Even when companies do not know where the data is flowing, they still have an obligation to protect it. Information sharing is the norm rather than the exception today, both among employees within an organization and with outside organizations.

Along with mobile devices, the supply chain is a point of vulnerability. Once supply chain information leaves your organization, you don’t know what is being shared and what is being protected. Tracking it is a massive task and has often been managed by departments well outside of IT, such as procurement. It’s not just information about material goods that enters the supply chain; intellectual property associated with the products also goes to third-party suppliers. Information, such as patent data or formulas for pharmaceuticals, is shared with lawyers and accountants.

Analyzing the risks to information in the supply chain can help focus resources on mission-critical data. Companies should work with their vendors to ascertain how they are protecting information, and to consider putting security requirements into the contracts they write with suppliers.

Business and IT should start with a conversation to explain what protection the company has in place and what measures are being taken. Then, the business side can work with IT to develop business cases based on the impact of their operations and illustrate the ROI for protection of their functions. That can help IT by showing the costs of downtime and clarifying what needs to be protected.

Technology can help overcome security problem. For example, an application can provide continuous backup, but users don’t know that it is running or the can also enforce encryption without the user’s awareness and remotely wipe laptops to clear the data. There are products which focus on encryption and tokenization, to secure the data itself rather than the network environment. Tokenization provides visibility to the flow of data without putting the data at risk.

A new product called Protegrity Avatar for Hortonworks is designed to secure individual data elements while managing and monitoring the data flow in Hortonworks, an enterprise Hadoop data platform.

In most cases, organizations need to deploy more than one security solution, because the threats are many and varied. Most companies use a best-of-breed strategy, picking out the strongest solutions for their needs.

Data security is about data protection, but it is also about continuity and availability. Protecting information with technology is important, but it is not a substitute for information governance within a company.

Achieving the right balance between business needs and information security requires a fundamental shift in attitude. Rather than thinking of data as something a company owns, business owners need to come to term with the fact that they are custodians of data that needs to flow and be managed.

A legislative proposal announced by the White House in mid-January is designed to increase data security by promoting information sharing, strengthening law enforcement for cyber crimes and requiring that data breaches be reported promptly.

Companies have been concerned about information sharing because of the risk of liability for violating individuals’ privacy. The bill addresses that issue by requiring compliance with privacy guidelines, including removal of unnecessary personal information. The legislation would simplify and standardize the requirements for reporting data breaches. Currently, the laws exist at the state level, but not all states have them, and those that exist are not consistent.

Whether defending their website from intrusions, keeping applications running or protecting data elements, organizations are faced with an increasing number of threats and a complex security environment. Awareness at every level of the extended enterprise will be essential to minimizing the adverse impact of security incidents.

Galaxy Consulting has 18 years experience in information security and governance. Please call us for a free consultation.

Data Security

Data security should be a priority in your organization.

For hackers, large-scale data breaches such as Home Depot, Neiman Marcus, and Staples are gold mines. For businesses, keeping valuable customer data out of the hands of cyber-thieves is a constant battle. Companies need to safeguard against every possible vulnerability across their entire infrastructure.

In 2014, the total number of reported data breaches in the United States hit a record high of 783, averaging about 15 per week, based on information compiled by the Identity Theft Resource Center (ITRC).

Companies, on average, can expect to encounter 17 malicious codes, 12 sustained probes, and 10 unauthorized access incidents each month, according to research from the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy.

Despite the growing number of attacks, many companies are still not doing nearly enough to secure their customers' personal and financial information. For many companies, the wake-up call only comes after they have fallen victim to a large-scale, high-profile breach.

Forrester Research noted that outside of banking and national defense, many industries are "woefully immature" when it comes to making the necessary investments in data breach protection, detection, and response.

This prompted Forrester to conclude that most enterprises will not be able to respond to a data breach without undermining their customers' trust or dragging their own corporate reputations through the mud.

Companies need to prevent data breaches from happening. They need to have an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breaches significantly and goes a long way toward reassuring customers who might have been thrown into a panic.

The first step toward that goal is having a high-level company executive who is responsible for data security. The key to addressing information security is first understanding what customer information is stored in company databases. Create a data inventory and determine what data is sensitive. Then segment out the sensitive and nonsensitive data.

Systematically purge the data that your organization no longer needs.

Take an inventory of all of their IT assets and business processes and analyze them for vulnerabilities that could expose sensitive data, for example, cardholder data. The next step, would be to fix those vulnerabilities. This assessment should be performed at least once a year. Make sure that the company's data security program meets industry best practices, government regulations, and the company's business objectives.

Make sure your web site uses encryption for processing customer's data. Once your company no longer needs customer data, such as payment cards or any other personal information, it should be securely deleted.

It is crucial for companies to segment data so that a breach in one file does not open other data repositories.

Companies should use Internet firewalls at all times, keep their operating systems and other business software up to date, and install and maintain antivirus and anti-spyware programs. Because many companies allow employees to use their own mobile devices, including smartphones, tablets, and laptops for business, these devices should be protected in the same way. Limit some company applications and data so that employees can't access them from unsecured mobile devices.

It is extremely important that companies limit data access to those employees who need it setting up appropriate security permissions in your data systems. You can put data logging in place, with alarms for when something happens out of the ordinary. This way you will know when someone is doing something with the data that does not coincide with their job description.

Contact centers are vulnerable to hackers. They use interactive voice response (IVR) systems for surveillance and data-gathering as a precursor to phishing schemes with agents, who are unwittingly coaxed into giving out sensitive information to unauthorized callers. In most cases, the call center agents are tricked by skilled fraudsters who use a variety of social engineering techniques to get them to break normal security procedures. The only real defense is proper training and protocols.

As many as 35% of data breaches have started with basic human error, such as sending an email with personal information to the wrong person or storing company files on laptops or tablets that were lost or stolen.

Even worse than careless employees or outside hackers, though, are the contact center agents who knowingly engage in illegal activities, using their jobs to gain access to information that they can sell or use on their own.

To help contact centers deal with this threat, call center technology can completely prevent skimming by agents. At the point in the transaction where the agent needs to collect the credit card information, systems can automatically pause recordings. With other solutions, the call can be transferred to an IVR system. Agent-assisted solutions can allow agents to collect credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the system using their phones' keypads. The standard dual-tone multi-frequency tones are converted to monotones so the agent cannot recognize them and they cannot be recorded.

In this environment, contact center managers and other employees need to be trained to spot at-risk employee behaviors. Training alone, though, is not enough. Employees need to know that there will be serious repercussions for violations of company practices and security protocols. Companies need to have a clearly defined formal policy so that employees know if they violate it, there are consequences that they will have to face.

Data security, therefore, has to be a business-wide endeavor. IT professionals, company executives, and employees at every level must work together to protect critical data assets from internal and external threats. Companies need to foster a security-aware culture in which protecting data is a normal and natural part of everyone's job.

Data security is also a constant game of what-ifs. The only certainty is that cyber-criminals will never stop learning and sharing information that will help them to get into high-profile targets. They will never stop trying to break into corporate databases. The information is just too valuable on the black market. The key is to make sure that you are not leaving the front door open for hackers to get in.

Galaxy Consulting has 16 years experience protecting organizations' data. We have done it for many companies. We can do the same for you! Contact us today for a free consultation!