Consumers are the lifeblood of any business organisation, so it is important to protect their data, according to Thom Langford, chief information security officer (CISO) at Publicis Groupe.
“We need to ensure that security processes are embedded throughout the organisation, so that business data as well as customer data is protected,” he told Consumer Identity World Europe 2017 in Paris.
However, Langford said in the face of the current cyber security threats and the defence systems available, it is a good idea to ensure that any organisation is well-prepared to deal with a breach.
“Research shows that it is taking organisations an average of 200 days to identify that a breach has taken place, more than two-thirds of organisations are being notified of a breach by a third party, and that many organisations are easily breached, some within just minutes,” he said.
These statistics, said Langford, underline the importance of embedding security processes throughout organisations, which is not only about technology but also about good communications.
It is important, he said, to communicate clearly in a language that employees and consumers understand about the role they play in data security and what the consequences will be for them if security is compromised, therefore encouraging them to make informed and correct security choices.
“Employees and consumers are more likely to change their behaviour if organisations highlight the consequences for them of data breaches and help them to understand that their actions matter,” said Langford.
“Weave a narrative around why it is important to protect data, why things such as two-factor authentication are being used and how data compromises it will affect them to build trust in your brand.”
Focus on detection and response
While security and security awareness is important, Langford said organisations need to recognise that in spite of their best efforts, few organisations will escape data breaches.
“It is equally as important to have a formal, practised cyber incident response plan, but the reality is that at present only around 20% to 25% of organisations have such plans in place,” he said.
According to Gartner data, around 80% of 2016 security budgets were allocated to protection, while only 10% was allocated to detection and 10% was allocated to response.
“This is pretty shocking, especially as cyber defences focused primarily on protection is about 15 years out of date because few organisations’ networks are accessible only on premise.
“Most organisations allow employees to access the network from wherever they are working, which means the perimeter is perforated to enable people to be more productive,” he said.
However, Gartner expects the approach to cyber security budget allocation to even out by 2020, with protection, detection and response each allocated roughly a third of the budget.
“Organisations need to ask themselves whether they are going to be one of the companies that are focusing enough on detection and response, which are essential to maintaining consumer trust,” said Langford.
“The first thing is to get an incident response plan together, then use it regularly for every incident so that is it is continually exercised, tested and refined, then create a single incident response team that is responsible and informed,” he said.
Read more about consumer identity
- Businesses should embrace consumer identity management to improve marketing capabilities and help drive regulatory compliance, says KuppingerCole.
- Businesses should look beyond compliance with new data regulations to ensure that their business processes and models are in line with future requirements, advises a privacy innovation expert.
- Open standards will help organisations comply with new EU data protection regulations, while ensuring interoperability and a good user experience, according to a global standardisation group.
- By exceeding the bare minimum requirements set by privacy regulations, businesses can win customers by offering greater assurances, says a business adviser.
According to Langford, communication and collaboration are extremely important when it comes to responding to cyber incidents.
“This is underlined by the fact that many of the organisations that have attracted negative headlines around data breaches are those that have failed in terms of communication, with some even telling lies about what has happened to their customers’ data.
“In the event of a breach, the goal should be to build trust so that after the breach consumer trust is increased, not diminished or destroyed,” he said.
Langford believes that a data breach presents an opportunity to build trust by being honest about what happened, why it happened and how it will affect customers.
“Apologise, be honest, be helpful and tell customers exactly how you are going to help them in the future. Embrace what has happened, because it is an opportunity to really shine,” he said.