![Default self created cybersecurity insiders image low res](https://www.cybersecurity-insiders.com/wp-content/uploads/Default-self-created-cybersecurity-insiders-image-low-res-696x397.jpg)
![Default self created cybersecurity insiders image low res](https://www.cybersecurity-insiders.com/wp-content/uploads/Default-self-created-cybersecurity-insiders-image-low-res-696x397.jpg)
This post was originally published here by casey pechan.
With all the big breaches in the news last year and GDPR right around the corner, data privacy has maybe never had as much attention from the public as it has right now. Everyone is quite obviously concerned about their own privacy, but itās a little bit harder to care about someone elseās privacy. Just as itās a little bit harder to care about someone elseās anything.
So the question is, are these breaches also making employees across your company more aware and concerned about customer privacy? Ā Truth is, your internal culture around data privacy should already be so strong that neither your employees or customers have the choice of whether or not to care. But that isnāt always the case.
So if your data privacy culture does need a quick check-up, consider the following:
Is the information youāre collecting about a human being?
Then it should be protected! Their name, their email address, their hair color, their social security number, their credit card, it doesnāt matter. When someone tells you something about themselves, you can never be too cavalier about how you treat that data. Not once has anyone provided information to a company while thinking, āPlease share this with everyone in the world. Iād love that!ā
How does your technology interact with that info?
When Amazonās Alexa is in a room, it listens to everything said in that room. It couldnāt fully function otherwise. That wouldnāt be a big deal if Alexa was just a fancy Roomba that talked while it vacuumed. But Alexa is much more than a vacuum (while also being much less in that is incapable of helping with household chores). Over time, people inadvertently tell their Alexa speaker virtually everything about themselves. That means Amazon has stringent rules and protections in place to ensure their data canāt be exploited..
Itās highly unlikely your product installs a cloud microphone directly in customersā living rooms. But what does it touch? You probably donāt leave full credit card numbers lying around in plain text (if you do, please get on fixing that), but are you collecting any information you havenāt yet fully thought through protecting, like say, having a phone app that reports on a customerās location and that could be used to reconstruct their daily travel? Anything you know about a customerās personal life should be locked up.
What are you doing about it?
Maybe your servers are carefully scanned and monitored, and youāre confident that no attacker will ever have the chance to get through. Great! Now consider that virtually every company has some sort of admin panel where customer accounts and information can be accessed. (This is understandably necessary in order to provide basic services to customers.) Who has access to this panel? Why do they need it? Are there different levels of access so that a tech support agent sees a different view than a member of the office staff and a tech support manager sees a different view than both of them?
What specific steps are you taking to secure customer information internally? The more touch points there are to customer data, the easier it is for an attacker to find their way in to grab that data.
Do all employees understand how important this is?
How enthusiastic is the company about privacy across the board? Do departments like marketing understand and even enthusiastically embrace implementing new consumer standards likeĀ GDPR?
What is the step-by-step process employees take when they encounter or suspect a breach? Are they actually empowered to do anything at all? Any employee who notices a potential data privacy issue or breach should be able to report this (whether itās via email or Jira or some other method) to a department that can review and potentially take action with that info. Requiring an employee to go through a manager or other gatekeeper brings an added layer of potential inaction.
If there is a process, is it part of training? Do managers discuss it with employees on a regular basis? If you donāt keep it front of mind for employees, then theyāll keep other things front of mind instead.
How are you helping customers?
Customers quite obviously want to protect their own privacy, but are almost always going to take the path of least resistance when registering for an account or making a purchase. No one ever wants to jump through hoops to do anything.
Do you give customers a choice as to whether or not they want to activate two-factor authentication? Do you force customers to create strong, but also memorable passwords (likeĀ random word passphrases)?
Do you limit number of login attempts over a set period of time? If a customerās account is breached by brute force because their password wasnāt very strong, you are still to blame.
Respecting each others privacy is a basic life skill we learned in kindergarten. Ā Everyone and every company is responsible for protecting each other. Ā Make sure you and yours are safe and secure.