Data privacy and security: talk less, do more

Every so often an article is shared that provokes a collective, vigorous nodding of heads – and even the occasional repetitive strain injury – here at Red Sift HQ. This recent piece from TechCrunch is one such example, highlighting as it does the fact that, rather remarkably, the line, ‘We take your privacy and security seriously’ appears in more than one-third of recent data breach notifications filed in the state of California.

It’s little more than a basic piece of desk research, but it demonstrates precisely why trust in consumer-facing organizations is in crisis (with an annual trust barometer highlighting that customer trust in businesses is at an unsatisfactory 56 percent in 2019).

Companies are not walking the walk; how can they be when they’re claiming to value user security and privacy at the very moment they’re ‘fessing up to a data breach?

Security isn’t easy

We’re not looking to take the moral high ground and castigate each and every organization that has ever suffered a data breach. Ensuring effective security, 24/7, across every conceivable attack vector – including every partner and stakeholder in an organization’s supply chain – is a massively complex undertaking.

Firms may well make mistakes at various points because hackers are incredibly smart and make it their business to prey upon not just tech weakness, but human vulnerability in all manner of pernicious ways.

Some firms may also be misled by security vendors, who have a tendency to over-promise and under-deliver, leaving them vulnerable to attack despite their good intentions and willingness to invest in their defenses.

However, the TechCrunch piece brings two key points to the foreground:

  1. Companies have got to improve their security basics
  2. Companies must make their security and privacy policies far more transparent and accessible to their customers

The truth is that many organizations leave giant chinks in their armor by failing to address relatively clear-cut vulnerabilities.

A great example of this is email spoofing. It’s perfectly possible to stop hackers from impersonating a company’s email domain by implementing the DMARC email protocol. This protocol was created by some of the most high-profile tech companies in the world, it has been around for half a decade, the UK Government advocates for its use, and yet some companies don’t bother exploring how to implement it.

Going forward

If companies start stamping out such basic vulnerabilities and then take the time to communicate these steps and make customers aware of what they’re doing, then a) there will be fewer data breaches in the first place, and b) customers might start to believe that, indeed, their data privacy and security is now being taken seriously.

Of course, restoring customer trust also requires companies to be clearer about what data they’re storing and for what purposes. It isn’t mentioned in the TechCrunch piece, but when most companies’ privacy policies are written in legalese and are as long as Beowulf, then it’s no wonder customers don’t know what’s going on and feel all the more outraged in the event of a data breach, irrespective of how it occurred.

At Red Sift, we don’t believe there should be a blanket ban on use of the phrase, ‘We take your privacy and security seriously’ because we still have faith that the vast majority of organizations do mean it. But until they start walking the walk, consistently, and having a sincere and open conversation with their customers about privacy and security issues, the trust deficit only looks set to grow.

Red Sift enables security-first organizations to successfully communicate with and ensure the trust of their employees, vendors, and customers.

Red Sift find out more

PUBLISHED BY

Clare Holmes

27 Feb. 2019

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more
Certificates

How to build an inventory of certificates for PCI DSS 4.0 Requirement…

Rebecca Warren

We talk to organizations daily that are preparing for PCI DSS 4.0 requirements. March 31, 2025 marks the end of the transition period, and on this date, businesses must be fully compliant with PCI DSS v4.0.1.  One of the ways PCI 4.0.1 varies from PCI 3.2 is an updated Requirement 4, which covers encrypting…

Read more
DMARC

Getting started with the OnDMARC API

Nadim Lahoud

The OnDMARC API is great for performing bulk or repetitive tasks that need to be performed quickly, often and without error – and you don’t need to be a developer or even know how to code to use it. Here, I will walk you through how to perform the common task of updating the…

Read more