SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: CA Technologies explores the state of digital trust in APJ
Mon, 17th Sep 2018
FYI, this story is more than a year old

Consumers across Asia Pacific and Japan are wary of how organisations use their data, with a lack of trust indicating that organisations need to do more to protect customer data.

That was one of the main takeaways of CA Technologies' Global State of Digital Trust Survey and Index Study, which found that business leaders are overestimating customers' trust in their organisations.

We talked to CA Technologies VP Security for APJ, Gene Ng. He ensures customers in Asia Pacific and Japan are properly resources and prepared to face today's evolving security challenges. CA Technologies opts for security integration as part of software development, rather than security as an afterthought.

The study found that business leaders are somewhat out of touch with how much their customers trust them. From what you have seen, why is there a disconnect between organisations and consumers?

There is a sizeable gap between how well organisations think they are handling data and how well customers think they are. Businesses are really overestimating how much trust customers have in them. This is especially noteworthy in the Australian market, which had the largest gap in perception in the APJ region.

In the last two years alone, 22% of consumers globally report decreased trust in organisations' handling of their data. This can be attributed to recent data breaches and privacy scandals reported by the media in both the private and public sectors.

Consumers are becoming more aware of the ways companies use their data, and the result is a decreasing willingness to share their personal information online.

On the one hand businesses have a duty to protect customer data, but they also want to use that data to improve their products and services. Is there a way to balance these two things without, say, forcing customers to wade through pages of privacy policies?

Customer data can often be the key between a business effectively innovating their offering and falling behind. But not all customer data needs to be stored, and that which is stored doesn't always need to be kept in a personally identifiable state.

Best practice is to only store the data that is critical to deliver on customer and business outcomes. That data should then be protected with the appropriate tools and processes to ensure it's not vulnerable to threat actors.

The other side to this is data misuse. Listing methods of use in a long privacy policy is not going to win customer trust – even if they agree to it. Besides deploying practices like opt-in rather than opt-out, companies should be transparent about how they use data. Often this can include some introspection to review whether it is appropriate to collect particular data from customers.

The survey found that 40% of APJ executives have sold customer data, although many cybersecurity pros aren't actually aware that this happened.  How is this possible?

This is unfortunate, but unsurprising. The reality is that security professionals are not usually involved in business decisions regarding monetisation of company data. This is problematic, because excluding security professionals from these conversations could inadvertently expose a company to fines associated with data privacy laws across various jurisdictions.

Companies can deploy the latest and most advanced threat protection tools in their own organisation, but they can't always account for the security in other companies. Even if they avoid a fine, they risk denting consumer trust which can often cost them more in the long run.

What practical methods can organisations take to show consumers that they are trustworthy?

The first step is to ensure there is a culture of security that starts at the top and is embedded throughout the organisation. In recent years we've seen company executives stand up for customer privacy and bolster their reputations, and we've also seen enormous data breaches resulting in executives and companies being dragged through the mud.

Secondly, companies should look to build strong relationships with their customers that go beyond transactions of product or service. This can include touchpoints like informing them when strange account activity has been detected or sending reminders to update their passwords.

Finally, and perhaps most importantly, it's important for organisations to be transparent about how personal data is being utilised. Organisations can bank on this information eventually coming out. Don't risk customer trust by withholding information until after the fact.

What role should consumers take in helping organisations adopt better data privacy practices?

While the onus is rightly on organisations to ensure they are using customer data appropriately, there are some cues customers can use to evaluate whether an organisation has adopted best practices.

  • Are they using multi-factor authentication for that additional layer of protection against a brute force attack? Our study found that 85% of consumers in the region would choose a secure experience over convenience.
  • Is the website's security certificate up to date? Most browsers will automatically update you on this one. 
  • Perhaps the best weapon in the customer's arsenal is their wallet. If an organisation is not transparent about how they use your data, or if you are not comfortable with it, take your business elsewhere. 

I think consumers can vote with their wallets and give their business – and by extension their data – to companies that can prove they take information privacy seriously and are transparent about how data is used and shared.

Do consumers have a responsibility to understand and accept the common industry adage that it's not a matter of 'if' but 'when' a breach happens?

It's possible that diminishing consumer trust has been caused by an acceptance of this saying, but it needn't be the case.  Almost every consumer will deal with a company that has been targeted by cybercriminals, whether it's their bank or their favourite social media platform. But those companies can work to ensure the information they store is secure.

Often this necessitates an industry-wide approach. A bank might be protected like Fort Knox, but as long as other banks remain vulnerable attackers will continue to target the sector – and they are an innovative bunch.

Is there anything else that you would like to add?

Enterprises need to embed security in their DNA. This involves authorising access to only those who need to use the data while deploying cybersecurity best practices, such as implementing a comprehensive and total identity and access management solution to protect data assets. These measures are essential for delivering a secure user experience and restoring consumers' trust in the organisation.