Why brands must make data security part of their mindset
With the GDPR deadline looming and consumers’ mobile activity creating more data every day, people’s trust is now heavily dependent on how brands protect their data, says Braze co-founder Jon Hyman.
Modern life is creating a flood of information – 16 trillion gigabytes of data were created in 2016 alone, and that number is expected to rise tenfold by 2025. Mobile devices allow brands to gather more nuanced customer data than ever before, providing actionable insights into what people value and how they engage; the kinds of insights that strong customer relationships are built on.
But these relationships are also built on trust: your customers’ trust that you’ll keep their data safe and private and use it responsibly. To earn that trust, you need a security philosophy, a plan to identify and address security needs, and a clear roadmap.
Putting privacy and security at the core of your business
Keeping data private means being vigilant about managing access to information and ensuring that you always understand where data is coming from and when it can and cannot be used. That is much easier if you emphasise data privacy and security across your organisation from the very start. In turn, strong security requires a smart development process – if your company is pushing out code that isn’t being adequately reviewed, that is just as big a security risk as lacking traditional safeguards like firewalls and virus protection.
Demonstrating a commitment to security and privacy, step by step
Securing your data is essential, but it’s just as important to demonstrate to customers and partners that your data security house is in order. To get there, consider putting together a security attestation roadmap featuring some of these common certifications and actions:
- Engage a security vendor to carry out digital security audits and penetration tests
- Evaluate security controls against the SANS Institute’s Cybersecurity Risk Framework
- Implement the US’s Health Insurance Portability and Accountability Act (HIPAA) data privacy and security rules
- Complete the SOC 2 type 1 service organisation control examination, developed to protect systems against unauthorised access
- Update data policies and contracts with technical partners to ensure material compliance with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018
Some of these steps can be accomplished in a matter of weeks; others – such as the SOC 2 examination – can take more than 18 months from start to finish. At Braze, we see SOC 2 certification as the gold standard because it touches practically every element of security, from physical infrastructure to software safeguards, from the procedures a company has in place to the people given access to its systems, making it a major investment in time and resources, but a key one for our business.
Find the certifications that are key for your business, invest in expert legal and security guidance, and you can level up your data privacy and security, while showcasing your commitment to data protection.
How to embrace privacy and security in practice
To know what to focus on, take a holistic view of your organisation, and use that understanding to complete your security risk assessment.
For digital security, embrace traditional measures like firewalls, encryption, and virus scanners (and two-factor authorisation and IP whitelisting, for that matter) to prevent unauthorised access. But digital security isn’t just about keeping data safe from outside intruders; it also means using things like role and permission management to ensure that the right members of your team have access – and no one else.
Physical security matters, too. You can have world-class cybersecurity protections, but if you don’t secure your company’s physical assets (installing security cameras, requiring ID badges, maintaining maintenance logs, making sure that guests cannot just roam around your offices unescorted) you are not really securing your data.
Security is not just about safeguards; policies and processes matter, too. Role-based permissioning cannot work effectively, for instance, without a process for terminating access when employees leave the company. And if your brand shares customer data with technical partners, you need to fully understand their security measures.
Privacy and security – it’s a journey
True security does not stand still. Technology keeps shifting, new threats keep cropping up, and last year’s secure system may suffer from previously unknown vulnerabilities today. Stay ahead of the curve by keeping security and privacy in mind every day, instituting strong processes, staying alert to the changing security landscape, and choosing partners with the same mindset.
To dig a little deeper, check out #NoFilter: Braze on Security.
Jon Hyman is co-founder and CTO at Braze, formerly Appboy.