With the amount of data dominating the current tech landscape, CIOs and business leaders must prioritise how they manage consumer data to avoid the repercussions. A number of experts give their views on how companies should be approaching it correctly.
Morey Haber, CTO, BeyondTrust:
Organisations are struggling to protect consumer data in two primary ways; first in ensuring that they know where the consumer data actually is in their infrastructure and second, knowing and controlling who has access to that data.
For the first, it’s almost excusable when you consider the volume of data that organisations are now regularly accumulating and processing. The sheer number of routes by which potentially sensitive data can enter an organisation means that knowing everywhere it can and is stored is a significant challenge in itself. These routes can include normal customer interactions, i.e., data stored in CRMs, order management and logistics systems, but also arriving from suppliers, partners and even direct interactions between staff. Even when data is identified, establishing who owns the data expands the problem further.
Getting control of where data exists and how it should be categorised should be at the top of every organisation’s to-do list. There are tools out there to help with this kind of activity so there’s little excuse in today’s world to not get that underway. As you pursue this activity, do not forget data that may be stored externally to your infrastructure, i.e., in cloud systems such as SaaS solutions and even IaaS and PaaS instances used by your organisation. Wherever your data exists is your responsibility.
Once you know where the data is, it’s vitally important that you implement effective controls to ensure that only those who should have access to the data actually do. Ideally, you should also know when that data is accessed which often means putting particularly sensitive data behind an additional layer of security, even for those who should have access. GDPR requires that you not only know where the data is and who has access to it, but also when and how it’s been accessed so you don’t fall short on the final hurdle.
Privileged Access and Session Management tools can provide an extensive layer to control who can gain access to consumer data as well as providing recordings of activity should you need to review what was accessed. Extending that to Endpoint Privilege Management tooling as well can help ensure that even when access is granted to systems holding sensitive data, the person with that access only has the least privilege necessary for their role in the organisation. The engineer managing the operating system doesn’t need and shouldn’t have, access to the data files on the system. Even the engineer managing the application that provides access to the data files doesn’t generally need direct access to the data files.
Making sure that access is appropriately controlled and limited is equally as important as knowing where the data is, effective controls ensure there’s no unexpected access.
Moritz Zimmermann, CTO, SAP Customer Experience:
We now live in an economic environment where consumers care more about experience than products. For your business, this means your most precious resource is now the relationships you build with customers. These relationships may be built on brand promises, unique offerings and great quality, but they are literally conducted through data; the true currency of business that continues to skyrocket in value year over year.
This is why we need a paradigm shift in how we think about and handle consumer data. Here are three things to consider in order to be a change agent in a move towards a brighter data-driven future.
1. Data ownership: Possession is 100% of the law
Our data is our personal property. As such, if it is taken from us or used without our knowledge or permission, the offending organisation should face meaningful punishment and make appropriate reparations, or a crisis of trust will form that will hurt everyone and may persist for years, if not indefinitely. To avoid this, collect consumer data only to benefit your customers, whether for personalisation, improved security, or for any other reason. And when collecting it, consumers’ explicit consent should always be given, their preferences honoured and their control of that data assured.
2. Protect personal data as if your business depends on it (because it does)
Some types of data, anonymised behavioural or psychographic attributes for example, are relatively safe to handle. On their own, they are simply metrics to be used for predictive trend analysis and such. But, personally identifiable information (PII) such as names, addresses of any kind, credit card numbers and so on are on the other end of that spectrum and not to be trifled with. You should treat this data with extreme care at all times, ensuring that it is never stored, processed, or transmitted without the highest level of encryption available. What’s more, you should aim to achieve a unified and accurate view of all customer data, visible in one place, to make everything from new software deployments, to data migrations, to regulatory audits both simpler and more secure.
3. Be honest and forthright. Being hacked is no shame, but hiding it is
Unfortunately, we’re all in the same (leaky) boat and cybercrime is now something to which we all can relate. So, if the unthinkable happens to your business, report it immediately and most importantly, have a plan. Communicate quickly with your customers what was compromised and communicate the steps they should take to protect themselves. This will not only help to earn your customers’ trust, but it’s also just the right thing to do.
Ruslan Vinahradau, CEO of smart home provider, Zorachka:
As today’s digital world becomes increasingly connected, we’re beginning to see a sharp rise in the popularity of Internet-enabled products and services, like smart home devices. Most households across the UK have a ‘smart’ device of some sort, from speakers, to doorbells and safety cameras. Yet, as the every day home becomes increasingly ‘smarter’, consumers’ personal data is being collected and processed at an exponential rate.
Companies have an irrefutable responsibility to protect this data. Typically these providers transfer and store their users’ data to the cloud. Though cloud storage offers many benefits such as lower costs and the convenience of centralised processing, many providers fail to realise the looming data security challenges this platform presents.
To solve security challenges and build a safe data environment, businesses must shift their mindset and consider other ways to keep their customers’ data secure. One way to do this is by storing user data within the device itself. All Internet-enabled devices contain microprocessors and integrated NAND-storage, which can be used to process and store data, which can protect billions of IoT devices from being hacked.
Going through the hardware route – as opposed to defaulting to the cloud – provides both organisations and consumers with a better platform. The microprocessor can be used to encrypt sensitive user data within the device itself, and allow their information to then be safely transported through the Internet. Better yet, it can be transferred directly to the user without cloud servers controlled by the device manufacturer, in turn lowering the costs of storage for the provider.
Providers should remember that on average, device processors are idle 60% to 70% of the time, meaning encryption is a non-recurring operation, and this extra capacity can be dedicated to protect user data. Cloud encryption on the other hand, requires 24/7 monitoring, resulting in greater costs in terms of both time and money.
With the recent introduction of stringent data security laws around the world – from the General Data Protection Regulation in the EU to the California Consumer Privacy Act in the US – companies must take data privacy seriously, otherwise they risk reputational damage and heavy fines. As consumer awareness around data and privacy continues to grow, the methods in which companies protect user data will also become a key competitive differentiator in winning customers’ trust. By opting to encrypt users’ data from within the products themselves and leveraging their internal microprocessors, providers can simultaneously secure their customers’ data and lower their operating costs; creating a win-win solution for everyone.