Why organisations need to earn - not demand - public trust
Businesses must rebuild public confidence in their ability to store and protect New Zealand citizens' personal information, says John Kendall, security program director at Unisys Asia Pacific, as research reveals a trust crisis.
The relationship between an organisation's demonstrated ability to protect sensitive data and the public's trust in that organisation may seem obvious – yet many Kiwi organisations have failed to convince their customers that they can be trusted to protect our personal information.
Media reports of data breaches are becoming a daily headline, making it a commonplace occurrence. The public expects organisations to suffer breaches unless convinced otherwise.
And it's not just criminals or negligent employees who are the culprits. Hacking for a cause (rather than profit) has seen the rise of "hacktivism" as demonstrated by Wikileaks and more recently the breach designed to publically expose the customers of cheating site AshleyMadison.com.
For nearly 10 years the Unisys Security Index has tracked the attitude of New Zealanders toward various security issues. Since 2007, the top two security concerns for Kiwis have consistently related to data security: unauthorised access to personal information, and others obtaining and using their financial information.
This year Unisys asked more than 1200 New Zealanders about the likelihood that their personal data, held by seven types of organisations including airlines, banking and finance, government agencies, healthcare, retailers, telecommunications and utilities, would be accessed by an unauthorised person, accidentally or deliberately, within the next year.
The findings reveal a crisis of faith in these organisations and agencies to hold and protect critical personal information.
What's the issue?
The 2015 Unisys Security Insights research found telecommunications organisations are the least trusted by New Zealanders to protect their personal data with 53% expecting their information to be accessed in an unauthorised manner within the next 12 months.
In January it was reported that a Telecom NZ dealer had leaked identity credentials to a rival telco.
Alarmingly, the next least-trusted group is government organisations with at least half of Kiwis expecting a breach by government agencies (51%) or bank (50%) in the next 12 months.
This is concerning when you consider the amount, detail and sensitivity of personal data held by our governments and banks.
Although this survey looks at perceived vulnerability, not actual vulnerability, it clearly shows which organisations the public perceives to be most vulnerable.
Consumer trust must be earned and maintained. To build trust, an organisation needs to not only take preventative measures, but to also make those measures visible to build public confidence.
We might have expected banks to have ranked higher in the perceived likelihood of suffering a data breach, however banks do a great job of proactively identifying identity breaches taking quick action communicating with their customs to minimise the impact of fraud. This appears to have helped build trust compared to telcos and government, even though they are an equally likely target.
The growth of online shopping and the financial information stored by online retailers still poses some concerns for Kiwis with 45% expecting a breach within the next year.
While the utilities industry fared somewhat better in the research (42% expecting a breach), Unisys research undertaken in 2014 found that 84% of critical infrastructure providers in Australia and New Zealand experienced a data breach in the previous year.
These findings show that there is still work to be done in the industry to limit data breaches and protect personal information.
Surprisingly, despite public scrutiny around the introduction of e-health records, just 45% of New Zealanders expect a breach by their healthcare providers in the next 12 months. It is likely that this very scrutiny – and the public debate and commentary around the issue – helped to build customer confidence as the public discussion reinforced that data privacy was a key issue and that relevant security measures would be taken.
Airlines took home the title as the most trusted industry to protect personal information with just one in three Kiwis thinking a data breach was likely.
While airlines will be pleased with this, they need to work to maintain this trust as they continue to capture more and more information about their passengers in a bid to provide personalised end-to-end services and to assist with border security measures
A target or careless?
While it can be easy to view organisations as the victim in data breach scenarios, the reality is that most breaches occur as a result of poor security practices and careless employee behaviour.
Unisys research of critical infrastructure providers in Australia and New Zealand found that while many (48%) security breaches occurred as a result of insecure networks, one in three (33%) were caused by unmanaged mobile devices and employee use of social networks.
Yet despite human error being named as the cause of up to 50% of security breaches, only 6% cent of organisations said they provide cyber security training for all employees.
Such behaviour makes organisations a tempting target for attackers. The ability to "strike from afar", careless inattention to the basics (e.g., weak authentication practices) and a lack of user training are just a few of the details that make organisations vulnerable to cyber-attacks.
And the 2015 Unisys Security Insights research clearly shows that this carelessness has eroded confidence and resulted in consumer frustration with organisations that collect and hold their personal data.
Does consumer trust matter?
Security breaches don't just impact an organisation's ability to deliver services. The subsequent negative repercussions of a data breach can adversely change the way customers and prospective customers think about or trust the business.
A businesses reputation and brand image is a key corporate asset and when the balance of trust is compromised it remains to be seen whether this confidence can be fully restored.
Loss of reputation is not easily quantifiable but is likely to erode future business opportunities. In today's fast paced and unforgiving business environment, there is no shortage of other operators waiting to collect disenchanted customers in the wake of a controversial security breach.
Previous Unisys research revealed that 80% of New Zealanders said they would stop dealing with an organisation if they became aware that their personal information had been accessed by an authorised person.
Additionally 48% said they would publically expose the issue and 36% said they would take legal action.
Consumer trust isn't just something warm and fuzzy that's nice to have – it impacts the bottom line.
What can organisations do to improve trust? Experience and knowledge help to build trust. Organisations need to not only implement security measures – they need to be seen taking such measures to build public confidence.
There's no silver bullet for security. In addition to taking steps to prevent data breaches – they must be prepared to mitigate the risks should a breach occur. To do that, organisations must learn to think, and behave like they are already under attack.
All employees should be made aware of potential internal and external threats to the organisation and understand the role they play in protecting corporate assets against security threats.
With employees aware of potential risks, the next phase to reinforcing security systems and processes is to implement cyber-vulnerability assessments for all systems, to allow organisations to identify areas of weakness and blind spots.
At a minimum, organisations should require hard-to-guess passwords on all systems, consider multi-factor identification to grant access to sensitive data, and patch outdated operating systems and applications. Looking forward, security enhancements must always be part of any modernisation initiative.
It takes time and effort to earn and maintain consumer trust - it doesn't happen overnight. A holistic approach to security is required that incorporates people, policies, processes and technology.
This will help organisations to manage who has access to what data as well as protecting the data itself via encryption so that even if the wrong people get access to the data, they still can't read it.
By focusing on building more robust IT security systems, organisations can safeguard their business and its customers against accidental and intentional data breaches.