June 19, 2019updated 18 Jul 2019 8:29am

Businesses have woken up to privacy, but how should they maintain consumer trust?

By Ian Woolley

We’re in an ever-evolving digital age, powered by data. As consumers become more connected through surfing the internet and IoT devices such as smart TVs, the landscape will only become more complicated for businesses to navigate when it comes to security.

In this new digital age, data has emerged as a new asset – for not only organisations but cyber criminals – especially given the large volumes of it now available. This is why it’s critical for businesses to take responsibility for protecting data as hackers are going to new lengths to retrieve it. It’s no surprise considering its monetary value. According to research by technology website Top10VPN, hackers can make up to £279.74 from just one PayPal log-in.

As a direct result of the General Data Protection Regulation (GDPR) being enforced from May 2018, data indicates responsibility, and with responsibility comes trust. We’re therefore seeing a lot of brands placing trust front and centre of campaigns and customer communication.

For years, Facebook’s CEO Mark Zuckerberg preached the value of people sharing more and more information online, with the mission of building what he often called a “more open and connected world”. He even went as far to unveil plans to reposition Facebook as a “privacy-focused” platform. However, it’s not just Facebook. Earlier this month, Apple announced new privacy-focused features at its annual Worldwide Developer Conference and before this, debuted a new commercial which centred its iPhone as a more privacy-conscious option than the competition – highlighting the phrase “Privacy. That’s iPhone”.

But, what’s clear from the latest headlines around high-profile data breaches is that trust is repeatedly being abused when it comes to privacy. Only recently has Tanium’s Global Resilience Gap study revealed 81% of CIOs & CISOs are delaying the adoption of important security updates or patches to ensure uninterrupted growth.

The majority of companies are putting trust front and centre of their brands. Yet, with increasingly more touch points being formed in this digital era, there’s going to be even more scrutiny on brands to make the right moves when it comes to security given there will be more scope for potential leaks. Businesses must enforce impenetrable security measures. So, what actions must they take to maintain consumer trust?

Businesses must protect their websites

Third-party technologies such as advertisements, analytics, trackers and social media buttons provide great functionality, interaction and even revenue-generating opportunities. But, they can also create security risks if businesses do not have the correct website security measures in place.

Despite being a highly-valued entry point for customer interaction and a repository for a wealth of personal and financial customer data, the front end – or the client-side – is considered the most vulnerable part of a website. Statista shows an estimated 1.8 billion people worldwide purchased goods online in 2018. It’s not uncommon that a website is one of the main touch points between businesses and consumers – which is why it is often targeted by hackers looking to steal valuable customer data.

This is what is referred to as client-side attacks which occur when a user downloads malicious content. For example, we’ve seen a rise of JavaScript-based cryptojacking (i.e. in the breach of government websites) and of formjacking attacks (as we saw in the case of the Ticketmaster breaches).

Businesses can no longer overlook or dismiss the potential vulnerabilities on their websites. The time to secure their websites and, in turn, customer data is now.

Firstly, organisations should scan and monitor their websites to see which third-party JavaScript is operating on the site, where its being loaded from and what pages these scripts are on. Only then can they whitelist and enforce which third-parties and which scripts are allowed to operate on their website.

There are some simple solutions to initially help, yet neither are fully effective against attacks in a rapidly evolving threat landscape. A Content Security Policy (CSP) can support in preventing cross-site scripting (XSS), clickjacking and other code injection attacks. However, there are still gaps in its capabilities and it can often mean a trade-off between website security and functionality.

In light of the heightened risks associated with website data breaches, consistent monitoring of a website’s security is critical. Organisations must therefore implement a website security solution to prevent data leakage through third party technology control and management, to enable whitelisting of trusted web vendors accessing data on your website.

Data governance is just as integral

In addition to protecting their websites, companies must ensure robust data governance. This means managing the availability, usability, integrity and security of data used in any enterprise while abiding to a set of procedures, such as GDPR. Any website that collects and processes data must comply to the rules set out by GDPR, or risk losing the customer base it has built. For example, this means effectively storing and managing customers’ data so it can be easily found should a customer request it.

Constant and vigorous data governance is a key requirement – brands that aren’t transparent and neglect to put the right processes, technology and people in place will pay the price. Being on the right side of the law and maintaining customer trust is crucial.

Businesses must make the right security decisions, otherwise, they risk harming consumer trust. They must bear in mind that a single breach can have a devastating impact. A study conducted on behalf of payment security firm PCI Pal found that 41% of UK consumers will never return to a brand or a business following a security breach.

To sum it up, a proactive and transparent data security strategy is not optional in our new data economy – it is imperative.


Read more: Businesses can’t ignore DNS attacks — they’re costing $10m a year and rising