Today, the mere threat of a breach can crush your business. Twitter’s whistleblower saga shows that, after years of indifference, customers are sensitive to even rumors of data leaks. A few years ago, PR teams could write about a minor breach and clients would accept it. A decade ago, massive data breaches made headlines, but customers stayed with the vendor because they believed lightning couldn’t strike twice.
However, times have changed, so how can you protect yourself … and even turn privacy and security into an advantage? Companies that win will embrace small steps, transparency and the right partners.
Former Twitter Executive Blows the Whistle
The Twitter whistleblower story will change the way the news industry reports on security and privacy moving forward. Just as ransomware spread with the Colonial Pipeline hack, security and privacy stories will become headline news. Even if your company isn’t as high-profile as Twitter, doors are open.
What’s more, Twitter history shows that you don’t have to step in to make the news. Former Twitter security executive Peiter Zatko (aka Mudge) made headlines with his concerns about Twitter’s security and privacy policies and execution. While there have been known hacks on Twitter, Zatko’s strongest criticism is of Twitter’s state of security. In its nearly 200-page report to federal regulatory agencies and the Justice Department, the most serious allegations are that Twitter gave regular employees access to central controls and sensitive information without adequate oversight.
It doesn’t matter if the allegations are true
If a reporter asks, “Who has access to your data,” can you answer? Do you want to answer? You will be judged in the court of public opinion before you defend your security posture. I have no inside information on the Twitter matter, but it doesn’t matter if it turns out to be an egregious breach of standard security protocols. There will be a large contingent who already assume this information is true.
After so many high-profile breaches (Target, Adobe, Yahoo and more), companies are presumed guilty until proven innocent. Unfortunately, it is almost impossible to prove innocence since you cannot prove the absence of a wrongdoing. Furthermore, even if you can, by the time you can prove you haven’t been infringed, the news machine has already moved on. You cannot react quickly enough to counter rumours.
Why are customers so sensitive to privacy?
Everyone knows that companies are collecting large amounts of personal data. Clicking on the GDPR-inspired “Track my information” buttons may be a reflex, but we understand that we are always being tracked. Consumers accept that their vendors will keep their personal data, but they expect the company to protect their information.
Unfortunately, cybercriminals target personal customer information. Identity theft, spam, phishing, ransomware and other attacks are not just theoretical. Everyone knows someone who has been affected.
With more data and more threats, every customer is susceptible to breaches. Corporate data breaches lead to fines, damaged reputations and loss of customer trust. Companies are desperate to secure their data because it’s the difference between survival and failure.
How to protect yourself: Transparency
The only way to survive is to be transparent about your data management. Most organizations are reluctant to talk about security and privacy because they know there is a gap between what they are doing and what they should be doing, but everyone is in the same position. Therefore, whoever enters the light will immediately take the lead.
When you hold yourself publicly accountable, you should:
- Create a concrete and achievable plan. Focus on the most business-critical data and risk areas. Make a short- and long-term plan so your internal team and external customers buy in.
- Set up regular public reviews. Most organizations review their security and privacy posture with executives and the board of directors. Conduct the same company-wide review so employees can participate and see that you care about the mission.
- Get certified. External auditors and certificates show that you are willing to hold yourself to a high standard and that you are not hiding anything. No one likes to be audited, but it keeps you honest.
Remember, you’re never done
Threats and expectations continue to evolve, so you must continue to improve your security plan as well. Since most companies won’t give you an unlimited budget, you’ll need to plan how to do more with less
- Download work: You don’t need to do all the work yourself. The days of Do-It-Yourself security are over. If you can get a service to cover the basics, you can focus your team on business-specific security and privacy initiatives.
- Use savings to fund initiatives: Most teams look to push vendors for better discounts, not refresh assets or overburden their team. Smart teams seek holistic savings. For example, advances in security and privacy should reduce cyber insurance premiums.
- Save less data: Most businesses want to keep all their data, messages and emails forever. This approach is not only expensive, but also creates almost unlimited legal and privacy risks. You need to help your business teams understand the value of reducing retention periods.
Get started today
The best way to start protecting your company’s reputation is with a single task. Choose a data set – a business-critical application, your CRM system or backups. Understand who has access to them. Create a plan to make them safer. Then share that plan with your colleagues and hold yourself accountable.
Twitter’s security issues are making headlines. When even one rumor can destroy your business, it’s no time to wait for consultants and focus groups. Now is the time to make your part of the world a little better, every day. Shine a light on how you protect your data and your customers will trust you.
