Taking Customer Privacy Seriously
One interesting little statistic I noticed comes from Zack Whittaker. In the wake of a data breach, he discovered that there’s one common response companies will usually trot out for their customers or users. “We take your privacy and security seriously,” or some variation of the phrase. Out of 285 data breach notifications examined, he found around a third had this reply at the ready. Of course, it can be tough for consumers to believe this line—if a company truly valued one’s privacy and security, surely they could have done more (than often the bare minimum) to protect their data from harm? More than, for instance, unwittingly leaving 2.7 million health-related calls on a server, unguarded and exposed to the cyber elements, for six years? Within which a number of Social Security numbers were vocally shared? One of the affected victims of such an incident might wonder, “In which of the six years did the caring start?”
Indeed, Whittaker straight up calls this stock response a lie, and points to the existence of Google and Facebook and their business model as evidence. What most concerns a business hit with a breach is the financial impact, and usually it seems paying a fine after the fact is preferred to spending on security beforehand.
Even if there is spending, accidents happen. Most of the data breach news these days remains, unsurprisingly, centered on health care. According to Allied Market Research, the cybersecurity market in this vertical is on pace to reach over $12 billion by 2023. New government regulations, mobile device applications, and more sophisticated cyber attacks continue to create opportunities for new technology and strategic thinking, even though trained cybersecurity personnel can be hard to come by.
And again, even if these are in place, organizational flaws can make more hurdles. Research from Brian Krebs reveals that most of the leading tech companies don’t even include a chief information security officer (CISO) or chief security officer (CSO) among their uppermost echelons. Those that have security officers sometimes place them beneath other tiers, obfuscating direct and efficient communication as CSOs and CISOs have to report up a longer managerial chain. The Equifax breach, for example, was exacerbated by the fact that a previous CSO and CIO did not get along, and had to be separated by an intermediary from legal to whom the CSO would report. This division was not rectified for the subsequent CSO and CIO. It thus took two months for Equifax to identify the breach.
The takeaway is that there’s no single thing companies have to prepare for when it comes to cybersecurity. Taking customer “privacy and security seriously” may just be words for some, but through proper action, policies and structure, they don’t have to be.