For better or for worse: Why your brand reputation is hitched to your ability to manage and protect data

The potential benefits of technology to change and improve lives are clear for all to see. At an individual level, wearable devices can help better manage health, home sensors can reduce your energy use and costs, and analytics can hone services to meet your every need. At an organisational level, digital transformation can not only boost efficiency and productivity, but it can change the way that whole industries operate and allow organisations (including governments) to deliver new kinds of services for citizens and consumers.

Organisations, however, need to be conscious of the kind of impact they (and their use of technology) are having on all aspects of society. This can include public concerns about the environmental impact of energy use, the societal impact of jobs lost to automation, the economic impact of online retail over bricks and mortar, and even the personal impact of indiscriminate data collection and mismanagement.

Many organisations employ corporate social responsibility (CSR) programs in order to benefit society while also seeking to boost their own brands. By embarking on philanthropy or volunteering they are not only able to promote worthy agendas or causes, but are also able to gain positive brand association.

In recent years the main issues that CSR programs have focused on are issues such as climate change and diversity, but a new issue has emerged in recent months that has eclipsed all others in the minds of consumers … privacy. For software and technology companies, the link between data privacy and corporate responsibility is relatively straightforward. Even in non-tech industries, however, privacy has become a major issue.

No matter what industry you work in, more products are becoming connected. Mattel released a Wi-Fi-connected Hello Barbie in 2015 and researchers promptly uncovered several vulnerabilities that showed it could be hacked into a secret listening device. At the same time companies from all industries process and store both customer and employee data that must be kept secure. Not only have customer data breaches grabbed headlines, but regulations now mandate prompt disclosure of data protection failures and companies can be liable for massive fines – or even worse, they can be told that they are no longer allowed to process customer data. On top of this, the reputational damage of such an incident can be monumental.

For the very first time, industry analyst firm Gartner has listed digital ethics and data privacy as one of the top 10 tech trends for the year ahead. On top of this, research by FleishmanHillardFishburn has shown that the issues that consumers currently care most about are data security and privacy. It is these issues that consumers now want brands to be talking about, rather than their diversity or sustainability efforts.

For better or for worse…?

So how open should brands be about their CSR efforts in the good times – explaining their support for digital ethics and data privacy when things are going well – at the risk of a backlash in the bad times – when they invoke crisis management plans in the event of a data breach?

As Nick Andrews, senior partner for EMEA reputation lead commented in the FleishmanHillardFishburn report: “In an increasingly hashtag driven world, though, do you support the movement and risk a backlash, or stay quiet and disappoint? Only companies with a clear sense of purpose, who use this as a yardstick against which to measure their actions, will demonstrate the consistency and clarity of view which people expect. For those that do, the rewards will be great.”

There are essentially three possible courses of action with organisations falling into one of the three following groups:

Group 1: Business as usual, with no real emphasis on digital ethics and data privacy: 80% of UK consumers surveyed by FleishmanHillardFishburn have stopped using the products and services of a company because the company’s response to an issue does not support their personal views.

With digital ethics and data privacy topping the list of issues that consumers currently care most about, your brand is going to be at a competitive disadvantage to your Group 2 rivals that advocate strong support for digital ethics. And without making data privacy and security a strategic priority, you’re going to be more likely than Group 3 rivals to suffer a data breach and be impacted by the consequent reputational damage.

Group 2: Strong support for digital ethics and data privacy, without any real cultural change: If you aren’t genuinely committed to privacy, you’re going to be more likely than Group 3 rivals to suffer a data breach and be impacted by the consequent reputational damage. In addition, the reputational damage will be amplified as your claims of strong support for digital ethics and data privacy will be shown to have been inauthentic, and you risk being accused of ‘greenwashing’ or ‘astroturfing’.

Group 3: Wholehearted adoption of digital ethics and data privacy as a strategic priority: There are expectation among consumers that companies will take these issues seriously and enact robust data privacy measures above and beyond the legal requirements. Realising this Group3 firms will see it as an imperative to act now and maintain strong leadership in this field, or else risk the consequences of consumer discontent. Only if digital ethics and data privacy are made a strategic priority that leads to true cultural change throughout the company will this be possible.

Let’s not forget that GDPR affects any organisation handling the personal data of EU citizens no matter where company is located, meaning that even U.S. companies which process the personal data of individuals residing in the EU have to comply. And if regulatory compliance with the threat of massive fines were not motive enough, the fact that privacy is now the number one issue for customers across all sectors means that not aiming to be in Group 3 here is sheer folly.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Corporate data at greater risk in the cloud than thought, report warns


Keumars Afifi-Sabet

1 Nov, 2018

Organisations are putting too much faith in cloud service providers’ ability to keep data secure without applying their own controls, researchers claim.

Companies sustain on average 14 misconfigured infrastructure-as-a-service (IaaS) instances at any given time, leading to 2,269 misconfiguration incidents per month, according to a report released this week.

McAfee’s ‘Cloud Adoption & Risk’ paper highlighted several concerning facets of cloud security, including the fact that sensitive corporate and personal data held and shared in the cloud is rising in conjunction with the number of security incidents.

The report found that 21% of files held in the cloud contain sensitive data – a rise from 17% in the past two years. Cloud threats, meanwhile, have risen in tandem – from 20.4 security incidents per month in 2016, to 24.5 in 2017, to 31.3 per month this year.

“As we all take advantage of the cloud, there’s one thing we can’t forget – our data,” the report said. “Even when using a SaaS service we are still responsible for the security of our data in the service and need to ensure it is only accessed appropriately.

“When using an IaaS/PaaS service, we additionally are responsible for the security of our workloads in the service and need to ensure that we are configuring the underlying application and infrastructure components appropriately.”

AWS leading the pack

The report pinpointed Amazon Web Services (AWS) S3 buckets as being culpable in the security gaps of many organisations, with an estimated 5.5% of all S3 buckets in use misconfigured to be publicly readable.

This chimes with findings published earlier this year that showed misconfigured S3 buckets play a significant role in 12,000 terabytes of publicly-exposed sensitive corporate data found online by researchers.

AWS “absolutely leads the pack” in terms of its popularity with organisations, playing host to 94% of all access events – although 78% of organisations use AWS in conjunction with Azure, typically as part of a multi-cloud strategy.

McAfee also stressed the dangers with misconfiguration come down to the data, with organisations deploying data loss prevention (DLP) strategies experiencing 1,527 DLP incidents per month on average.

Among the most common AWS misconfigurations seen are unrestricted outbound access, unused security groups discovered, and S3 bucket encryption not turned on.

‘The perception gap is shocking’

McAfee’s report also highlighted a number of glaring perception gaps with cloud security, including a total lack of awareness over the number of cloud services that employees believe are in use in their organisation.

A previous survey published in April showed that the average response when asked how many cloud services are deployed across an organisation was 31. The security firm’s latest findings show the reality is 1,935, on average.

“The perception gap is shocking,” the report said, “meaning that 98% of cloud services are not known to IT – leading to obvious cloud risk.”

Asked whether they trust their cloud providers to keep data secure, 69% of respondents to the previous survey said they did, while 12% claimed the service provider bears sole responsibility for securing their data.

But “cloud security is a shared responsibility” according to McAfee’s report, “and no cloud provider delivers 100% security (including data loss prevention (DLP), access control, collaboration control, user behaviour analytics (UBA), etc.)”.

“It’s likely therefore that organisations are underestimating the risk they are entering by trusting cloud providers without applying their own set of controls,” it continued.

The insider threat

Senior site reliability engineer at IT management firm Claranet Steve Smith said the concerns raised aren’t as hinged on the services themselves, as they are on their users.

“The cloud security challenges highlighted in this report have little to do with the platform itself, but everything to do with the people using it and, in our experience, people are the biggest weakness here,” he said.

He added the major cloud providers, such as AWS, have a series of default settings designed to support configuration, but it’s easy to get things wrong without knowledge as to how to use the platform.

“We’ve seen many AWS configurations that end-user businesses have developed themselves or have worked with partners that don’t have the right experience, and, frankly, the configurations can be all over the place.

“A click of a button or slight configuration change can have a major impact on your security posture, so it’s important to get a firm grip of the access controls and have safeguards in place to catch mistakes before they hit the production environment.”

McAfee’s report revealed the majority of cloud security incidents – 14.8 of the 31.3 experienced on average per month – are insider threats. These may include straightforward but significant mistakes such as sharing a spreadsheet with sensitive personal data, or malicious activity such as a sales employee downloading a full contact list before leaving for a rival firm.

The research found 94.3% of organisations experience at least one such incident per month, which is true for 58.2% of organisations with privileged user threats – such as an administrator accessing data in an executive’s account.

Mitigating cloud risks

The security company issued three core recommendations as to how businesses and organisations can bolster their strategy, including routine audits, understanding where sensitive data is held, and locking down sharing.

Leading IaaS and PaaS configurations, such as AWS, Azure, and Google Cloud Platform are a rapidly-growing alternative to on-prem infrastructure, the report said, and so need to be regularly audited to get ahead of misconfigurations before “they open a major hole” in security outlays.

Some of the most sensitive data, meanwhile, is held on platforms such as Office 365 and Box. McAfee recommended in its report that organisations grasp where their most sensitive data is held in order to reduce exposure to risk, and extending DLP policies.

Controlling how data is shared, moreover, and implementing collaboration restrictions on documents can mitigate the risk of inadvertent exposure – for example by configuring share settings to “anyone with a link”, or by sending documents to personal email addresses.