By: Matt Lindley, CISO at NINJIO
Despite the fact that massive data breaches and companies’ privacy practices have become fixtures in the headlines, the vast majority of people still have no idea how their sensitive personal information is collected, used, and shared. But consumers have a right to know what companies are doing with their data, while companies have every incentive to establish trust by observing strict controls in their methods of data collection, processing, and management – and being transparent about those methods.
This is why Data Privacy Week (January 24 to 28) exists: to “empower individuals and business to respect privacy, safeguard data and enable trust.” There’s significant overlap between a company’s privacy and cybersecurity platforms, which is why improving one invariably strengthens the other. And there are several ways companies can dramatically improve their posture on both fronts, from the formalization and centralization of their data management processes to the maintenance of a robust cybersecurity training platform.
With Data Privacy Week quickly approaching, this is an ideal time to consider best practices around privacy and security, as well as the reasons this conversation is more urgent and consequential than ever.
Addressing a trust crisis among consumers
Recall that one of the key priorities of Data Privacy Week is to “enable trust” between the entities that collect data and those whose information is being gathered. The need for greater trust is especially pressing for companies considering the widespread anxiety among consumers about how their information is being handled. This can have a harmful effect on customer experience, loyalty, and ultimately retention.
According to a survey conducted by Pew Research Center, 81 percent of American adults say they have “very little or no control” over the data companies collect, and the same proportion believe the potential risks of companies collecting their data outweigh the benefits. Meanwhile, 79 percent report that they’re concerned about how companies are using their data. These numbers should be jarring to any organization that collects, stores, and uses consumer data – a description that applies to a wider and wider range of organizations. While laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have given companies a regulatory framework to guide their cybersecurity and privacy practices, it’s up to companies themselves to develop a culture of security awareness and make responsible data management central to their strategy.
While the magnitude of this trust deficit is daunting, the good news is that there are many proven strategies for ensuring that consumer data remains both private and secure, such as cybersecurity training. When companies deploy these strategies, they’ll strengthen their defenses against cyberattacks (thereby reducing the risk of a crippling data breach), inspire confidence in their data management practices, and earn the trust of their customers.
How cybersecurity training keeps data safe and private
Data privacy and cybersecurity should always be addressed in conjunction with one another, and security awareness training is a critical component of these efforts. Nothing illustrates this point better than the fact that 85 percent of the data breaches analyzed in Verizon’s 2021 Data Breach Investigations Report “involved a human element.” According to IBM’s Cost of a Data Breach Report, 80 percent of breaches – which cost companies an average of $4.24 million – include records containing customers’ personally identifiable information.
Human beings are implicated in the vast majority of breaches, most of which involve consumer data. This is why, for the sake of both privacy and security, it’s necessary for employees to be capable of preventing threat actors from launching successful attacks and gaining access to the company’s networks and systems. There are many ways companies can develop this capability in their workforces, such as training programs that teach employees how to identify the most common cyberattacks; phishing tests that determine whether or not they can spot fraudulent emails, text messages, and other digital communications; and policies that encourage them to report potentially suspicious activity right away.
When it comes to protecting consumer data and keeping it private, a cyber aware culture is one of the most valuable assets companies have. Companies can develop this culture by making cybersecurity training an integral part of all their digital operations.
Building a comprehensive data privacy and security platform
In keeping with our theme of privacy and security integration, let’s take a look at several other best practices that can help companies develop more coherent, comprehensive, and secure data management platforms that will earn the trust of their customers.
- Focus on transparency. It’s impossible for consumers to trust your company to manage their data responsibly if they don’t even know what your privacy and security policies are. All companies should publish those policies online – consumers need to know how and why you’re collecting and storing their data, whether you’re sharing it with third parties, and what rights they have.
- Have an emergency plan in place. Even when companies are responsible stewards of their customers’ data, they’ll never reduce the possibility of a cyberattack or a breach to zero. It takes companies an average of 287 days to identify and contain a data breach, which is a stark reminder that companies need to know what they’ll do to mitigate the consequences when breaches occur.
- Ensure alignment across departments and teams. Just as your consumer-facing privacy and security policies should be immediately accessible by all stakeholders, your employees should know exactly what the company’s internal policies and procedures are. This means familiarizing them with cybersecurity best practices, establishing clear channels of communication (to report potential breaches, for instance), and consistently assessing their knowledge of cyberthreats and countermeasures.
- Regularly assess where and how you store and protect data. Employees often circumvent security systems so they can use unauthorized devices, but this means data can end up stored in insecure locations that companies may not even know about. Companies should institute regular reviews and training to ensure alignment around data storage and management practices.
At a time when companies are increasingly reliant upon consumers’ personal data, they have a responsibility to keep that data secure. Data Privacy Week is a good opportunity to focus on all the ways companies can meet that responsibility and build trust with their customers.
Matt Lindley is the COO and CISO of NINJIO, and he has more than a decade and a half of experience in the cybersecurity space. Prior to NINJIO, Matt was the CEO of REIN Cybersecurity, LLC., the senior technology manager and director of security services as Cal Net Technology Group, and the virtual CIO at Convergence Networks. He has held many other leadership positions in the industry, and he’s an authority on IT, security, and a range of other issues.