Every so often an article is shared that provokes a collective, vigorous nodding of heads – and even the occasional repetitive strain injury – here at Red Sift HQ. This recent piece from TechCrunch is one such example, highlighting as it does the fact that, rather remarkably, the line, ‘We take your privacy and security seriously’ appears in more than one-third of recent data breach notifications filed in the state of California.
It’s little more than a basic piece of desk-research, but it demonstrates precisely why trust in consumer-facing organizations is in crisis (with an annual trust barometer highlighting that customer trust in businesses is at unsatisfactory 56 percent in 2019). Companies are not walking the walk; how can they be when they’re claiming to value user security and privacy at the very moment they’re ‘fessing up to a data breach?
We’re not looking to take the moral high ground and castigate each and every organization that has ever suffered a data breach. Ensuring effective security, 24/7, across every conceivable attack vector – including every partner and stakeholder in an organization’s supply chain – is a massively complex undertaking.
Firms may well make mistakes at various points, because hackers are incredibly smart and make it their business to pray upon not just tech weakness, but human vulnerability in all manner of pernicious ways. Some firms may also be misled by security vendors, who have a tendency to over-promise and under-deliver, leaving them vulnerable to attack despite their good intentions and willingness to invest in their defences.
But the TechCrunch piece brings two key points to the foreground:
- Companies have got to improve their security basics
- Companies must make their security and privacy policies far more transparent and accessible to their customers
The truth is that many organizations leave giant chinks in their armour by failing to address relatively clear-cut vulnerabilities. A great example of this is email spoofing. It’s perfectly possible to stop hackers from impersonating a company’s email domain by implementing the DMARC email protocol. This protocol was created by some of the most high-profile tech companies in the world, it has been around for half a decade, the UK Government advocates for its use, and yet some companies don’t bother exploring how to implement it.
If companies start stamping out such basic vulnerabilities, and then take the time to communicate these steps and make customers aware of what they’re doing, then a) there will be fewer data breaches in the first place, and b) customers might start to believe that, indeed, their data privacy and security is now being taken seriously.
Of course, restoring customer trust also requires companies to be clearer about what data they’re storing and for what purposes. It isn’t mentioned in the TechCrunch piece, but when most companies’ privacy policies are written in legalese and are as long as Beowulf, then it’s no wonder customers don’t know what’s going on and feel all the more outraged in the event of a data breach, irrespective of how it occurred.
At Red Sift, we don’t believe there should be a blanket ban on use of the phrase, ‘We take your privacy and security seriously’ because we still have faith that the vast majority of organizations do mean it. But until they start walking the walk, consistently, and having a sincere and open conversation with their customers about privacy and security issues, the trust deficit only looks set to grow.