Educating the public about security – are we doing it all wrong?

In 2016 consumers were exposed to a larger number of high profile data breaches than any year previously. According to the Breach Level Index, 1,792 data breaches led to almost 1.4 million data records being compromised worldwide, an increase of 86% compared to 2015. Identity theft was the leading type of data breach last year, accounting for 59% of all data breaches. These numbers have helped raise public awareness around the serious threats to personal data that exist in the modern era, and awareness is also growing for some of the solutions that businesses and individuals can use to minimize the risks from data breaches. But is it enough?

Encryption has been a buzzword in the U.S. press for the past years, but it’s unlikely that consumers actually understand what it involves or how important it is. Another recent study, the 2016 Data Breaches and Consumer Loyalty report, revealed that only 16 percent of the consumers surveyed worldwide claim to have a complete understanding of encryption, with a similar proportion (13 percent) admitting that they have no understanding. If consumers don’t truly understand the measures that businesses are putting in place to protect their data as this evidence suggests, they won’t be aware of how secure their data is. This contributes to any concerns and uncertainty consumers may have when sharing personal data with companies.

In an earlier column, my colleague, Jason, outlined some of the key questions and issues, organizations need to address when deciding where to spend their security dollars. I’d like to take further and talk through additional steps needed to educate consumers about the steps a business is taking to protect their data, crucial pieces to building consumer trust and loyalty. If consumers are unsure of which protections are in place with a business, they may avoid dealing with them entirely. Any business that suffers a data breach or gains a reputation for handling customer data insecurely will see consumers move to competitors they perceive to be more secure.

There are five key steps that any business must undertake when protecting their own and consumers’ data:

1. Understanding data

First, in order for a business to begin protecting itself, it should organize a data sweep to understand what data it has produced or collected, and where the most sensitive parts of that data are stored. This is Jason’s “Where is Your Data?” question. Examples of Personal Identifiable Information a business may collect include a customer’s email address, date of birth or financial details. Before a business can even think about how they’re going to protect their data, it’s crucial that they understand what they are trying to protect.

2. Use two-factor authentication 

The next step an organization should take is to adopt strong two-factor authentication, which provides an extra layer of security should user IDs or passwords ever become compromised. This is Jason’s “Who Has Access to Your Data?” question. Two-factor authentication involves an individual having something they have – like a message on their smartphone – and something they know, rather than simply relying on something they know, such as a password.

3. Encrypt everything important

While two-factor authentication helps to stop information being taken in the first place, or accessed by people who don’t have the correct permissions, encryption gives a layer of security which stops customers’ sensitive data being used if it is accessed or stolen. This is why it is necessary for a business to understand where their most valuable data is stored before this step can occur. Whether the data is stored on your own servers, in a public cloud, or a hybrid environment, encryption must be used to protect it. Companies need to approach protection with the assumption that they will be breached and employ the encryption necessary to protect their most important asset, the data.

4. Keep encryption keys safely stored

Of course, once a business is properly encrypting their data, attention must turn to strong management of the encryption keys. Whenever data is encrypted, an encryption key is created, and is necessary for unlocking and accessing the encrypted data. Encryption is only as good as the key management strategy employed. Companies must ensure the keys are kept safe through steps like storing them in secure locations, in external hardware away from the data itself for example, to prevent them being hacked.

5. Educate staff and customers 

The final step a business should undertake is educating both their consumers and their workforce on the processes they have undertaken to protect their data. And it doesn’t just end there. Businesses need to employ a double-sided approach, educating both their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves. This helps to build their understanding of how to protect the company’s data, and builds consumer confidence.

Only once a business has followed these steps, and educated their customers, can they be confident that they have adequate processes in place to protect their data. The importance of an adequate cybersecurity strategy cannot be exaggerated enough, with recent research revealing that almost seven in ten consumers will happily take their businesses elsewhere in the event of a data breach. Additionally, an educated population of consumers will help encourage other businesses to improve their cybersecurity, ultimately leading to a more secure environment for both companies and individuals to do business.