Security

All About Trust

October 6, 2020

All About Trust

One of the biggest roadblocks for getting anyone to listen to what you want them to do is trust, or more accurately, a lack of trust.

You could say we’re facing an unprecedented trust deficit in every aspect of life due to the COVID-19 pandemic. Who can we trust to tell us what to do? And can we trust them to do the right thing?

This lack of trust can even make us question the motives of those whom we may have trusted in the past. This lack of trust is amplified by the isolation felt by millions in self- confinement, forced to quarantine in their homes.

For those lucky enough to have escaped this fate, many also feel the effects of a deficit in trust when they’re continually reminded to keep a safe distance from others—including colleagues, neighbors, and family—and wear a face covering when they step outside of their front door in fear of contracting COVID-19.

This general feeling of a lack of trust can have less-than-obvious consequences.

Protecting Your Customers’ Personal Data

Processing personal data sits at the heart of delivering products and services to millions of customers. And with today’s new technologies, how we use personal data is changing how we work.

Sharing personal data or personally identifiable information (PII) more quickly and more easily allows us to make better decisions about the products and services we offer and can drive more sales. But it also brings with it risks we need to mitigate.

For the small to medium-sized business (SMB), there’s a continuous need to handle personal data in ways that are appropriate, secure, and protect privacy. And getting this right the first time isn’t always easy but managing personal data in accordance with laws and regulations is vital to maintaining the trust of existing customers, keeping their business, and acquiring new customers.

“Trust underpins our notion of data protection, privacy, and security,” explains Richard Preece, a privacy consultant based in the UK who’s worked extensively within the public and private sectors including financial services, aviation, and defence.

He continues:

“There are core issues common to data protection, privacy, and security laws around the world. These can be boiled down into informed consent, transparency, accountability, security, and control. How these issues are managed often comes down to the application of laws and regulations. Small-midsize businesses should aim to build deeper digital trust with their customers by making sure they can demonstrate consent, transparency, accountability, security, and control.”

This often comes down to managing customer expectations, and you don’t need to be a data privacy lawyer to know if something feels creepy or cool. If it’s creepy, it might be unlawful, like profiling your customers online without them knowing or disrespecting their right to object.

Even if you’re able to share the personal data of your customers with others, just because you can do so doesn’t make it ethical or fair, does it?

“We’ve reached the point that we must incorporate privacy into our product and service offerings so that they’re not only competitive but trustworthy,” adds Richard Preece.

The potential negative consequences of a failure to meet customer expectations will go beyond any sanction or fine a regulator can impose. They can also take a long time to recover from a damaged reputation.

“Customer data is core to any business right now so if you get it wrong you won’t be able to sell your products and services very easily. You’ll damage the reputation you’ve built over a long period of time with existing customers and start to lose incremental sales or worse,” warns Richard Preece.

There’s plenty of free guidance for SMBs trading within the European Union and who must comply with the EU General Data Protection Regulation (GDPR).

The following is guidance from the Irish Data Protection Commission (DPC) and is a useful to-do list for SMBs thinking about managing data protection, privacy, and security of their customers’ data to comply with the GDPR.

In the UK, the Information Commissioner’s Office has also published guidance on its data hub for SMBs. It can be accessed here.

Protecting Your Own Business From Cyberattacks

According to the latest UK Government statistics, the extent of cybersecurity threats hasn’t diminished and instead has become more frequent. Almost half of businesses (46%) and a quarter of non-profits (26%) report having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among SMBs (68%), large businesses (75%), and high-income non- profits (57%)1.

Given SMBs are sitting targets for cybercriminals, what are the main vulnerabilities and how should you protect your business? Here are my top 10 tips to improve your security.

Tip #1: Install an SSL/TLS certificate on your website.

Since data transmits between a user’s browser and your website in plaintext, it can be read by cybercriminals, so it’s vital you protect the transmission channel. Installing an SSL/TLS certificate on your web server helps you to secure the data transferred between web client and your website. This is done by creating a secure, encrypted channel between the two devices preventing cybercriminals from “reading” or otherwise accessing this data.

Tip #2: Use data encryption to protect yourself from being hacked.

Data encryption helps you to secure your personal data, whether it’s sitting on a server, in cloud storage (at rest) or is in transmission between servers (in transit). It’s essential you encrypt personal data before sending or uploading it. That way, if it’s intercepted, cybercriminals won’t be able to read or access the data without an encryption key.

Tip #3: Make remote access as easy and secure for your users.

According to recent research, over 50% of workforces are working remotely in the UK because of the COVID-19 pandemic. As a result, the need for secure remote access has never been more important. Strong network security and authentication will help to keep your business safe and its data secure by helping to mitigate risks and eliminate remote connection vulnerabilities. It’s important to put in place security processes and tools that are easy and secure for users, otherwise they’ll resist using them and this will make you more vulnerable to attack.

Tip #4: Make sure you tell your staff to change their personal Wi-Fi passwords.

A common mistake made by many home users (and now read “home workers”) is to use the default passwords set by their internet service providers (ISPs). This opens the door for cybercriminals and easy access to your network. You should limit the number of users who can access the remote desktop. Also, you need to make sure any computers and devices being used for business purposes have the latest firewall and anti-virus software and don’t allow anyone to directly connect to your network without the use of a virtual private network (VPN).

Tip #5: Use authentication tools to protect your identity.

It’s a sad fact cybercriminals are successful at mimicking businesses and tricking customers in the process. This level of deception can extend to the copying of your website and sending emails to your customers appearing as if they’ve come from you. This can effectively destroy all trust.

There are several ways to combat this. A common approach is to install personal authentication certificates for your employees and depending on how you choose to use it, this type of certificate can help manage access to the website and emails to your customers:

  • With respect to your website, this type of digital certificate can be used to give access to restricted areas of your website. For example, let’s say you want to allow only specific users to access a portal or area of your website. If they have this type of certificate installed, the server will be able to authenticate them and allow them access.
  • With respect to emails, this type of digital certificate enables you to digitally sign your emails using a digital signature. This helps you to show your customer you’re who you say you are and also indicates the sensitive contents of your message haven’t been tampered with since it was signed. It also allows you to encrypt your messages and any attachments. This means before you even hit “send” on an email, your message is scrambled and becomes unreadable to anyone aside from your intended

Tip #6: Authenticate all users and restrict unauthorized access to your system.

This is an essential and basic security measure but again, extremely important in helping to preserve trust. Any access to your systems or network must only be capable by an authenticated user. Many businesses use multi-factor authentication (MFA) to verify a user through two or more types of identification, typically including:

  • Something you know (such as a password or PIN),
  • Something you have (such as an HSM, token, or mobile app)
  • Something you are (a biometric such as a fingerprint, facial scan, or retinal scan)

Tip #7: Consider upgrading to a multi-layered approach to cybersecurity.

Depending on the nature of your business, many SMBs have made cost-effective upgrades to protect against cyberattacks and to protect the personal data of their customers, thereby strengthening trust. Consider doing the following:

  • DNS- and IP-based web filtering
  • Email filtering, penetration testing
  • Intrusion detection systems (IDS)
  • Unified threat management (UTM) tools
  • Automation solutions like PKI certificate managers and patch management tools
  • Regular data backups

Tip #8: Consider using a stronger password management system.

Passwords don’t guarantee to stop unauthorized access to your system or network but should be part of the data privacy and security solution for SMBs. It’s common sense—weak passwords can be easily cracked, so longer and more random passwords have now become the norm. However, these can’t be easily recalled as remembering them is almost impossible, especially when you’re advised to use a different password for each login. One solution is the use of password tools. These are an effective way of keeping everything tight and in one secure place. They’ll also generate strong, secure passwords and store them, too.

Tip #9: Use a VPN.

As previously mentioned in Tip #4, where you have remote workers or those employees who may have to access publicly available Wi-Fi networks, then a virtual private network (VPN) is essential. Sniffing tools are increasingly popular and sophisticated. Logging on to a coffee shop, train, airport, or hotel Wi-Fi can leave your employees extremely exposed to snooping.

A VPN will protect your data and your customers’ data from anyone on the same network, and also hide your internet traffic. Another advantage of a VPN is it’ll connect you to the internet privately and anonymously, creating a hidden tunnel between you and anyone trying to track you.

Tip #10: Train your employees as they’re your front-line defense in protecting and securing personal data.

Data privacy and cybersecurity awareness and training are some of the most important ways to protect your business and build trust from within, but it’s often overlooked.

When cybercriminals want to gain access to your bank details, credit cards, or passwords, they’re likely to use less sophisticated methods of attack like email, social media, or even a phone call.

An email containing poor grammar, spelling mistakes, unprofessionally written copy, and a suspicious looking URL should ring alarm bells when received.

According to the European Union Agency for Cyber Security, email phishing attacks have spiked over 600% since the end of February 2020 due to COVID-19 pandemic as employees are being forced to work from home.

Cyberawareness training teaches your employees how to recognize various cybersecurity threats and how to operate safely online. Part of this training should include showing how phishing emails aren’t just poorly written, typo-filled ramblings. Cybercriminals create simple yet effective phishing emails appearing legitimate through the use of social engineering techniques.

“SMBs should plan a training program that helps their employees to understand spam, phishing, ransomware, malware, and many other forms of cyber-attacks. All new joiners should also be made aware of these risks as part of their induction program,” advises Richard Preece.

Making sure your employees keep vigilant is now more important than ever. This safeguards your own systems and network but also, most importantly, it helps to maintain the trust and confidence your customers have in you and the way you manage their data.

 

 

1 For businesses, analysis by size splits the population into micro businesses (1 to 9 employees), small businesses (10 to 49 employees), medium businesses (50 to 249 employees), and large businesses (250 employees or more). For non-profits, annual income bands are used, with high income being >£500,000/$655,000. See Official Statistics Cyber Security Breaches Survey 2020 updated March 26, 2020.


Ardi Kolah is an innovative global privacy advisor and founding editor of the Journal of Data Protection & Privacy. He has been a global ambassador for SolarWinds on the GDPR program.