Today, the mere threat of a breach can wipe out your business. The The whistleblower saga on Twitter shows that after years of indifference, customers are sensitive even to rumors of data leaks. A few years ago, PR teams could cover up a small infraction and customers would accept it. A decade ago, massive data breaches made headlines, but customers stuck with the provider because they thought lightning couldn’t strike twice.
Times have changed, however, so how can you protect yourself…and even turn privacy and security into an advantage? The companies that win will opt for small steps, transparency and the right partners.
Ex-Twitter Exec Whistles
The Twitter whistleblower story will change the way the news industry reports on security and privacy going forward. As ransomware went mainstream with the Colonial Pipeline hack, security and privacy stories will become mainstream news. Even if your business isn’t as well-known as Twitter, the floodgates have opened.
Additionally, Twitter’s history demonstrates that you don’t have to be hacked to make headlines. Former Twitter Security Officer Peiter Zatko (aka Mudge) made headlines with its concerns about Twitter’s security and privacy policies and their enforcement. Although there have been well-known Twitter hacks, Zatko’s most powerful criticism concerns the state of Twitter’s security. In its nearly 200-page report to federal regulatory agencies and the Department of Justice, the most serious allegations are that Twitter provided regular employees with access to central controls and sensitive information without proper oversight.
It doesn’t matter if the accusations are true
If a journalist asked you “Who has access to your data”, could you answer? Would you like to respond? You will be sentenced in the court of public opinion before you can defend your security posture. I don’t have any inside information on the Twitter case, but it doesn’t matter that there are gross violations of standard security protocols. There will be a large contingent that already assumes this information to be true.
After so many high-profile breaches (Target, Adobe, Yahoo, etc.), companies are considered guilty until proven guilty. Unfortunately, it’s almost impossible to prove innocence since you can’t prove no offense. Also, even if you could, by the time you could prove you weren’t hacked, the news machine has already moved on. You can’t react quickly enough to counter rumours.
Why are customers so sensitive to privacy?
Everyone knows that companies collect large amounts of personal data. Clicking the GDPR-inspired “Track My Info” buttons may be a knee-jerk reaction, but we understand that we’re still being tracked. Customers accept that their suppliers keep their personal data, but they expect the company to protect its information.
Unfortunately, cybercriminals target customers’ personal information. Spoofing, spam, phishing, ransomware and more the attacks are not only theoretical. Everyone knows someone who has been affected.
With more data and more threats, every customer is susceptible to breaches. Corporate data breaches lead to fines, damaged reputations and loss of customer trust. Businesses are desperate to secure their data because it’s the difference between survival and failure.
How to protect yourself: Transparency
The only way to survive is to be transparent about the management of your data. Most organizations are reluctant to talk about security and privacy because they know there is a chasm between what they do and what they should be doing, but everyone is in the same position. Therefore, whoever steps into the light will immediately take the lead.
When you hold yourself publicly accountable, you must:
- Create a concrete and achievable plan. Focus on the most business-critical data and risk areas. Develop a short-term and long-term plan, so that your internal team and your external customers buy in.
- Establish regular public reviews. Most organizations review their position on security and privacy with executives and the board. Run this same review with the entire company so employees can participate and see that you care about the mission.
- Obtain certification. External auditors and certifications demonstrate that you are prepared to hold yourself to a high standard and that you are not hiding anything. No one likes being audited, but it keeps you honest.
Remember you’re never done
Threats and expectations are constantly evolving, so you must also continue to strengthen your security plan. Since most companies won’t give you an unlimited budget, you’ll need to plan how to do more with less.
- Unload the job: You don’t need to do all the work yourself. The days of “Do it Yourself” security are over. If you can get a service that covers the basics, you can focus your team on enterprise-specific security and privacy initiatives.
- Use savings to finance initiatives: Most teams are looking to incentivize vendors to get better discounts, not discount assets or overburden their team. Smart teams seek overall cost savings. For example, advances in security and privacy are expected to reduce cyber insurance premiums.
- Store less data: Most companies want to store all their data, messages and emails forever. Not only is this approach costly, but it also creates almost limitless legal and privacy risks. You need to help your sales teams understand the value of reducing retention periods.
The best way to start protecting your business reputation is to complete a single mission. Choose a set of data: a mission-critical application, your CRM system, or your backups. Find out who has access. Create a plan to make them safer. Then share that plan with your colleagues and hold yourself accountable.
Twitter security issues cover the news. When even a rumor can destroy your business, now is not the time to wait for consultants and focus groups. Now is the time to make your part of the world a little better, every day. Shine a light on how you protect your data and your customers will trust you.