PCI Pal’s CISO, Geoff Forsyth, recently featured on World Commerce Review. Read the full feature here.
A recent survey, carried out to help analyse the public’s changing attitude to data security, has brought to the fore a number of issues regarding trust, communication and spending trends, which should come as no small cause for concern for businesses.
The UK study uncovered a public that is more engaged on the subject of data security than ever before, and one which knows the value of its personal data, leading to new expectations of the companies who handle that data on a daily basis.
What is also clear is that people are prepared to hit companies who don’t take data security seriously where it hurts; their bottom line.
Some 44 per cent of respondents to the survey stated that, following a data breach, they would choose not to spend with the affected company for at least a few months, while 41 per cent stated that a data breach would be the end of their relationship with the affected company forever.
When asked what companies could do to salve the issue after a data breach, 47 per cent of respondents stated that announcing PCI DSS compliance would go a long way to restoring some level of trust, while 50 per cent would want to see a third-party regulator state that the affected company is safe again. However, 43 per cent of respondents noted that a company admitting responsibility and investing money in security would entice them into spending again, prompting the question how can companies best communicate their security attitudes to customers, and how can they show that they take the issues of data security seriously?
Make it the most important issue
Many companies opt to hide data security information away on their websites, treating it like a niche issue or one which is the sole purview of the IT specialist. This should not be the case, however.
Make data security the issue around which your company is built. If you are ever affected by a data breach, the key information should be published front and centre on your website:
- What has been taken?
- What should they do next?
- What are you doing to rectify the situation?
- How long until you expect to have the situation in-hand?
- What is the overall risk to the customer in both the short and long-term?
When data breaches have occurred in the past, the first customers hear about it is through the press, you must absolutely ensure that this isn’t the case as it will cause irreparable damage to your reputation moving forward.
Reach out as soon as you’re aware of a breach. Take ownership of the problem and be open and honest, and avoid the temptation to use PR to mitigate or downplay the severity of the situation.
Deloitte’s Privacy Index found (1) that one third of people who found out about a data breach from the company under attack actually ended up trusting the company more than they did before.
A breach, if handled briskly and professionally, can actually be repurposed to build trust with customers. By showing how capable you are and how seriously you take your responsibility as a handler of their data, you can enhance your standing and come out of a bad situation in better shape than before you went in.
Be honest and encourage realistic expectations
The general public on the whole don’t have much time for the minutiae relating to data security. They want to know whether a business is safe or not, but it is important to reach out and discuss that expectation at the beginning of your relationship with them.
100 per cent data security is simply not attainable. It doesn’t matter what your budget is, or how talented your InfoSec staff are. You need to let your customers know that you maintain the maximum level of preparedness possible to mitigate any such attacks or breaches and that you invest heavily in what is a potentially catastrophic issue (2), but breaches do happen. Share key statistics on the subject and make the information engaging to your customer base (see below).
Your openness and honesty will work in your favour. Any research done by customers will reflect the same line that you have shared and with any luck your customer’s trust in you will grow as a result.
Make the information you share accessible to everyone, but don’t patronise
As Steve Jobs famously said “Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains”, and he couldn’t have been more right.
Making the information you share with your customer base accessible (simple) enough for those totally uninitiated in issues of IT, let alone the peculiarities of data security, while being complicated enough to fully inform the more savvy is something you should aim for.
As a minimum you should aim for bullet points to underline the basics with plenty of detail for those who want to know more. Be prepared to discuss issues in greater detail with customers who wish to dive in and do not be tempted to patronise.
Where possible, de-scope!
Look at ways of encrypting your data and, where possible, ensure there is no sensitive data for hackers to access in the first place. For example, if de-scoping technologies are used for payments that are handled via a contact centre, sensitive payment card data never enters the enterprise and therefore any related risks are removed.
It also means your business is compliant with the PCI DSS, which improves the ongoing security of all telephone, IVR, web and SMS financial transactions.
Have a plan and don’t be afraid to seek professional help
Investing in the best crisis response strategy that you can will go a long way towards establishing trust and faith in your company. Share with your customers the partners with whom you work to establish your security protocols; their reputations will bolster your own and show that you are actively seeking out expertise and investing in data security.