Today, the mere threat of a breach can crush your business. The Twitter whistleblower saga shows that, after years of indifference, customers are sensitive to even rumors of data leaks. A few years ago, PR teams could paper over a small breach, and customers would accept it. A decade ago, massive data breaches made headlines, but customers stayed with the vendor because they believed that lightning couldn't strike twice.
Times have changed, though, so how can you protect yourself … and even turn privacy and security into an advantage? The companies that win will embrace small steps, transparency, and the right partners.
Ex-Twitter Exec Blows the Whistle
The Twitter whistleblower story will change how the news industry reports on security and privacy moving forward. Just as ransomware went mainstream with the Colonial Pipeline hack, security and privacy stories are going to become mainstream news. Even if your company isn't as high profile as Twitter, the floodgates have opened.
Furthermore, the Twitter story demonstrates that you don't need to be breached to make the news. Former Twitter security executive Peiter Zatko (aka Mudge) made headlines with his concerns about Twitter's security and privacy policies and execution. While there have been well-known Twitter hacks, Zatko's most powerful criticisms are about Twitter's state of security. In his almost 200-page report to federal regulatory agencies and the Department of Justice, the most serious allegations are that Twitter provided regular employees access to central controls and sensitive information without adequate oversight.
It Doesn't Matter If the Accusations Are True
If a reporter asked, "Who has access to your data," could you answer? Would you want to answer? You will be convicted in the court of public opinion before you can defend your security posture. I have no inside information on the Twitter case, but it doesn't matter whether it's found to have egregious breaches of standard security protocols. There will be a large contingent that already assumes this information is true.
After so many high-profile breaches (Target, Adobe, Yahoo, and more), companies are considered guilty until proven innocent. Unfortunately, it's almost impossible to prove innocence since you cannot prove the absence of a breach. Furthermore, even if you could, by the time you could prove that you haven't been breached, the news machine already has moved on. You cannot react quickly enough to counteract the rumors.
Why Are Customers So Sensitive to Privacy?
Everybody knows that companies are gathering vast amounts of personal data. Clicking on the GDPR-inspired "Track my information" buttons may be a reflex, but we understand that we're always being tracked. Customers accept that their vendors will hold their personal data, but they expect the company to protect their information.
Unfortunately, cybercriminals are targeting personal customer information. Identity theft, spam, phishing, ransomware, and other attacks aren't just theoretical. Everybody knows somebody who's been affected.
With more data and more threats, every customer is sensitive to breaches. Corporate data breaches lead to fines, damaged reputations, and loss of customer trust. Companies are desperate to secure their data because it's the difference between survival and failure.
How to Protect Yourself: Transparency
The only way to survive is to be transparent about your data management. Most organizations are hesitant to talk about security and privacy because they know there is a chasm between what they are doing and what they should be doing, but everybody is in the same position. Therefore, whoever steps into the light will immediately take the lead.
When making yourself publicly accountable, you should:
- Create a concrete, achievable plan. Focus on the most business-critical data and risk areas. Make a short- and long-term plan, so your internal team and external customers will buy-in.
- Set up regular public reviews. Most organizations review their security and privacy posture with executives and the board of directors. Run that same review with the entire company so employees can participate and see that you care about the mission.
- Get certified. External auditors and certifications demonstrate that you're willing to hold yourself to a high standard and that you're not hiding anything. Nobody likes being audited, but it keeps you honest.
Remember, You're Never Done
Threats and expectations keep evolving, so you must keep ratcheting up your security plan, as well. Since most companies won't give you an unlimited budget, you'll need to plan for how to do more with less
- Offload work: You don't need to do all the work on your own. The days of "Do it Yourself" security are past. If you can get a service to cover the basics, you can focus your team on business-specific security and privacy initiatives.
- Use savings to fund initiatives: Most teams look to push vendors for better discounts, not refresh assets, or overwork their team. Smart teams look for holistic savings. For example, advancements in security and privacy should reduce cyber-insurance premiums.
- Store less data: Most businesses want to store all their data, messages, and emails forever. Not only is this approach expensive, but it also creates nearly unbounded legal and privacy risks. You need to help your business teams understand the value of reducing retention periods.
The best way to start protecting your company's reputation is with a single assignment. Pick one dataset — a business-critical application, your CRM system, or your backups. Figure out who has access to them. Create a plan to make them more secure. Then share that plan with your colleagues and hold yourself accountable.
Twitter's security issues are blanketing the news. When even a rumor can destroy your business, it's not the time to wait for consultants and focus groups. Now is the time to make your part of the world a little bit better, every day. Shine a light on how you protect your data, and your customers will trust you.