Only nine per cent of consumers have faith in brands to keep their data secure, marking a 10-year low in consumer trust, according to a report by Fujitsu, published in December 2013. And it seems that consumers are justified in being wary considering recent, well-publicised data breaches such as that by Barclays, when thousands of confidential files with customer details were reportedly stolen and sold; and Tesco, when over 2,000 Tesco.com customer accounts were hacked and their details posted online.
George Gee, head of CRM at restaurant reservation service Bookatable, says: “Tesco and Barclays are huge organisations, so to a certain extent, if they are not getting it right or if there are security risks within their processes, it just shows how complex this issue is.”
The sheer volume of data being processed is also cause for concern. Trading on Nasdaq stopped for three hours last year after a system outage, with some experts suggesting a cost of $100m a minute.
Ernst & Young’s global annual security survey in 2013 suggested that there are two types of company – one that knows it has been the subject of a cyber breach and one that is yet to find out. “It is almost an inevitability – a case of ‘when’ rather than ‘if’,” says Mark Brown, a director in information security at Ernst & Young UK & Ireland.
“It is why the UK government initiated a programme, the Cyber Governance Health Check, initially targeting the FTSE 350 to get cyber security on to the boardroom agenda and recognised as a strategic business risk and not just something to be devolved to the IT department.”
The NSPCC’s work with the victims of child abuse means that it holds data which has the potential to put children and families at risk, so data security is critical. The charity’s data protection manager Penny Champion reinforces Brown’s point that data security needs to be treated as a wider business issue.
If someone is determined to do your business harm, that is very difficult to prevent. But simple things such as unique passwords can go a long way
“Make sure data security is not the concern of only IT or legal but everyone and that they take it seriously and see it as their duty. Staff training has to explain why it matters and should been seen by the marketing team as a business enabler rather than a chore that gets in the way of their work.”
A key part of this recognition lies in implementing data security training beyond the people who handle data. “It’s about the people who work with the people who handle data too, who could pose some sort of security risk,” says Gee. “It goes beyond data scientists to others in the team and it builds confidence by sharing best practice.”
Bookatable’s wider marketing team receives data security training, as well as those employees who need to know certain information about the company’s customers. “Within a small group we are data secure but once you go outside that people don’t necessarily understand what they need to do or how they need to protect that information.
“Obviously, our IT department has processes in place around security on laptops and computers for example, but human error will always be a factor in these situations and organisations need to limit that.”
Bookatable has stepped up investment in its data security, in part by committing to a new customer database, which is managed by US-based eBay Enterprise. Bookatable collects personal customer information such as name, address and email address as well as information regarding the types of bookings customers have made and the type of restaurants and cuisine they like.
“That information is held in our eBay Enterprise database and we are very secure in terms of who has access to that data – they are people within customer relationship management (CRM) or they are data scientists,” says Gee. “It is a very strict policy.”
He adds that a lot of the training is around housekeeping, such as ensuring that any data that is held or exported is password protected and if it is shared, it is done securely. “We don’t hold masses of data on our servers – if we’re not using it, it gets removed.
“It limits our risk because our database is where data should be held. It is about addressing human error – your systems can be as secure as possible but, ultimately, if someone decides to email a bit of data to someone, then that [system] is flawed.”
As Champion explains, 90 per cent of the NSPCC’s income comes from the public, so it must ensure that when people entrust the organisation with their personal details, they are only shared on a need-to-know basis. If the NSPCC is undertaking a marketing campaign, it limits the number of employees who have access to supporter data in order to minimise risk.
“We also need to ensure that any companies contracted to undertake activities on our behalf, such as telephone fundraising, are as rigorous in their data security as we are,” says Champion.
She adds that one of the biggest risks is a rogue employee or volunteer. “If someone is determined to do your business harm, that is very difficult to prevent. But simple things like ensuring that every employee uses a unique password and regularly changes those passwords can go a long way.”
Passwords are an important, and changing, area. PayPal has 143 million customers and all use a password to make purchases. As part of the FIDO Alliance (Fast Identity Online), the company is working to change the way online security checks are carried out.
PayPal PR director UK and Ireland Rob Skinner says companies need to start thinking beyond the password. “It has been a key part of account security since the web was created but we are probably in an era where not too far into the future, the password will be consigned to history.
Information security is more of a cultural issue, if you can get the culture right across the organisation, you can start to make real strides
“We are thinking broadly about the fact that while security is top priority, we are also evolving the customer experience and finding new ways to keep customer and data secure.” Embedded fingerprint scanners on mobile phones and USB tokens are two methods that are being looked at.
As Alastair Barter, a senior policy officer at the Information Commissioner’s Office says, a lot of the breaches he sees are not technical, and weak passwords are one common culprit.
“There is a temptation to look at information security as a highly technical area and often it sits within the IT department of organisations, but really it is more of a cultural issue, and if you can get the culture right across the organisation, then you can start to make real strides.”
He adds that getting senior support is critical. “It is important that it goes high up in the organisation – the higher up, the better. If the chief executive understands and is in tune with data protection – not just personal information but all the information that the company holds – then the company will be better positioned to defend itself against risk.”
He touches on an important point – while investing in data security is paramount, having a crisis management plan in place for ‘when’ not ‘if’ is also key. Brown says: “The important thing for a business is how it responds when that inevitable incident happens, so it can move beyond dealing with the incident from an operational perspective to making sure that any negative press reporting around a breach is minimised by proactively communicating with customers to reassure them that the company is on top of the incident.”
Data security used to be synonymous with compliance rather than risk management, but companies are waking up to the issue as part of the overall business value chain. As Champion says, it should not be dismissed as red tape or seen as an optional extra. “Getting it wrong can be disastrous for your customer relationships and – even more important – can cause people to suffer real distress if their personal information falls into the wrong hands.”
The big three challenges
1. Data security is no longer the preserve of the IT department.
Digital is at the core of every modern business and an increasing number of employees are coming into contact with data as part of their work.
Companies need to address data security as a key business issue that is high on the boardroom agenda and driven by the chief executive. Aside from damage to operations and the risk of legal action, cyber breaches have been proven to damage brand reputation and impact negatively on consumer confidence.
2. There is a skills gap when it comes to data security specialists in the UK.
The Technology and Skills in the Digital Industries report, released by e-skills UK and funded by the UK Commission for Employment and Skills has warned that a lack of specialist technical skills are hampering the sector’s growth with nearly one-fifth of all vacancies difficult to fill. It found a growing need for high-level IT specialisms, including security specialists.
3. Robust data security management is not just about prevention but knowing how to deal with a breach when it occurs.
It is important to have a crisis management plan in place that can be activated in minutes. The plan should include a policy for crisis communications, including what needs to be communicated, by who and when. The plan should also set in motion proactive communication activities, such as the launch of a crisis website, preparing press and analyst contacts, notifying specific audiences, and addressing the issue on social media.
A director at a leading law firm which suffered a major virus attack speaks anonymously about the company’s response.
Q: What do you think is the biggest challenge in data management?
A: People are the weak link because regardless of how many controls you have, mistakes can be made. We invest a lot of time in awareness campaigns as well as coaching staff during inductions on the importance of data security.
Q: How do you address data security?
A: We gained an ISO 270001 information security accreditation, which ticks most of the data security boxes. It ensures basic principles such as access to buildings and secure areas are monitored and controlled, as well as pass production and removal of access rights.
Q: Do you outsource it or manage in-house?
A: Our controls are administered in-house, except for our archive records partner, Crown Records Management, which deals with our boxed storage. Managing data in-house gives us peace of mind.
Q: How much do you spend on data security?
A: Investment has risen over the past two years; we have a dedicated team dealing with data security and a specialist security manager responsible for auditing and monitoring our performance. The role is specialised, and I suspect that at present there are not that many skilled security practitioners available on the market.
This is reflected in salaries.
Q: What have you learnt from the security issue?
A: It was a wake-up call when we suffered a major virus attack on our network, and a catalyst to put the controls we now have in place.
Managing director Radius EMEA
We recently completed a survey among consumers who own technology products and it reinforced the fact that privacy and security issues are one of people’s greatest concerns. The research suggests that there would be a backlash if a brand was perceived to have violated a consumer’s privacy.
Of course, people are willing to share certain data if they see a tangible benefit but it is difficult for brands to both provide and communicate that benefit, and that is one of the challenges.
Importantly, there is also a generational factor – millennials are more inclined to share personal information with brands in return for a perceptible return. This younger generation is more willing to go along with that value proposition than older consumers, who often have a greater amount of trepidation, and this is an important consideration for brands.
It is clear that the issue of data security is being taken increasingly seriously by organisations and is being elevated from an IT issue to a C-suite position. There are many more chief information officer and chief technology officer roles being created, particularly at mid-size companies that have not previously acknowledged the need for that position. That speaks volumes about what companies are trying to do.
But disaster preparedness still needs addressing. It is generally agreed that there are two types of companies – those that will have their information security breached and those that have already fallen victim. Many companies are caught flat-footed when a breach happens and they should not be, yet crisis planning is often missing. Companies need a well thought out plan in place that is supported by consumer intelligence.
What is most important to consumers and what do they want and need to be reassured about? Any response needs to be carefully tailored to the industry, the company and its audiences.
We recently carried out consumer research in the US to get a sense of which brands consumers believe are doing a good job of protecting personal information. We did this across a variety of categories from financial services to e-commerce, and we tested specific brands in each category.
Startlingly, consumers perceived that none of the brands are doing the best job, and yet it is such an important issue. There is a clear opportunity for companies to really differentiate themselves in this area, and the stakes are high.