How can your organization take the lead in creating cyber trust?
Despite well-publicized incidences of cybersecurity breaches, very few organizations are attempting to claim confidence in their cybersecurity as a way to restore consumer trust. This presents an opportunity for organizations to get ahead of others in their market by activating powerful cybersecurity principles and processes and engaging with customers and shareholders to build what we call “cyber trust.”
In the public eye, there is a gradual movement toward an acceptance that breaches will happen and, when they do, they may be catastrophic. But customers also increasingly expect organizations to do all they can to prevent breaches.
Trust has yet to be earned
Today, entire markets and economies simply have to assume that the overall level of cybersecurity provision between trading partners is sufficient. In the absence of nation- or sector-wide cybersecurity guarantees, there is no other way.
Younger consumers, who’ve grown up with online payments, smartphone apps and social media, seem to demonstrate an implicit trust in the security of the data they share or that organizations hold about them. This could be attributed to being more technically “savvy” or not having personally experienced any negative impact from cybersecurity breaches.
But generally people are increasingly wary of what could happen to their personal data – being surprised, for example, by media reports about smartphone apps and even battery life data tracking their movements or sharing information about them with third parties. Fears and concerns are also shared via social media.
Whether or not many of these suspicions or purported examples have any substance is, for future-focused organizations, immaterial. The fact is that cyber trust has yet to be earned. And if trust is damaged, it’s much harder to win back.
Mandatory disclosure and media reporting: the next frontier
In the US, a national bill is being proposed that would affect every organization that holds or handles an individual’s personal data.
Should that data – whether it’s a name and address, or biometric information – be compromised, the organization would have to report it to each affected individual within 72 hours of discovery and a nominated authority within 30 days. If the breach has affected more than 5,000 people within a single state, the organization would also be required to provide “notice to media reasonably calculated to reach them." The organization may also be liable to pay damages of up to US$1m to every affected individual.
If passed, this law would not only have huge financial implications, but a massive impact on wider cybersecurity awareness too. The likely frequency of disclosures is difficult to guess – but cyber crime could very quickly become a daily news story, with potentially devastating effects on cyber trust.
Yet this is where organizations can change the debate.
The opportunity: cyber trust as brand equity
There is a clear approach to building cyber trust – and it can be acted on now.
- Proactively lead the discussion on cyber crime from the front
- Be open about the risks of a breach, but be clear about protocols for acting on it
- Use any potential or actual breach to demonstrate how well they’re able to manage a crisis situation
Taking a lead on cybersecurity standards, and communicating them, could insure organizations against the damage to trust that underprepared organizations will suffer.
But there is a stage beyond this that is about not only making an organization better at cybersecurity, but also making it known – through every interaction with customers and stakeholders.
For example, where some banks currently send their customers a card reader to make online transactions more secure, a highly cyber-aware bank might instead deploy a new authentication mechanism. Theoretically, this could rely on a combination of biometrics and the unique volatile data on a customer’s smartphone.
This level of encryption would be much more difficult to break. While the exact algorithm of such an encryption key would never be revealed, the fact that the bank had introduced this technology first would make an obvious statement of how seriously it takes cybersecurity.
It’s about going beyond the expected norm and putting competitors in the shade.
Bring in the experts
Organizations should be bringing in cybersecurity experts, but they don't need to be apologetic about it – this is another opportunity to demonstrate how they’re setting and meeting their self-defined high standards.
They should be constantly vigilant though: passing full responsibility to a third party brings its own risks. Cybersecurity providers should be made to understand the business objectives and processes they need to protect.
Wider commercial opportunities
The internet of things is driving more consumer demand for smart connected devices and apps that use the data they generate.
Leading innovation by offering consumers something they want is one thing, but the next level is recognizing this functional desire – and also the expectation of security – to develop a suite of products that is inherently secure by design.
This may well result in products, services and technologies crossing over from one sector to another. For example, a smartphone chip manufacturer might recognize the opportunity to develop chips for secure, connected cars: the carmaker saves R&D costs and mitigates the risk of building their own solution and trying to make it secure and, for the chip manufacturer, a vast new market opens up.
To take another example, developing highly secure versions of proven or nascent technologies, such as smart thermostats, could be a clear commercial differentiator.
In both these examples, embedding cybersecurity at the component level is a potent way to build cyber trust and gain competitive advantage.
Claim the ground
Cybersecurity as a discipline is not approaching maturity. And it will never guarantee an organization’s protection: cyber threats are constantly evolving, and an organization’s cybersecurity approach needs constant review and evolution.
But by embedding cybersecurity front and center into both strategy and communications, organizations can claim the ground of cyber trust and win the loyalty of their customers.