Imagine that you have a bubble containing all of your personal information: your email address, date of birth, address, bank details, medical history, employment history and sexual preferences, plus every single email you’ve ever sent.
Now imagine that each time you sign up for a web-based service or purchase anything online, you duplicate all or part of that bubble and let someone else hold onto it. Let’s call them a bubble bank, or BB for short. You’d want your bubble to be looked after because if it popped its contents would end up all over the Internet and there would be nothing you could do about it. If your bubble popped while under the protection of a BB you’d be annoyed, right?
If you were a BB, you’d therefore do your best to protect your customers’ bubbles because you’d know that if it were the other way round you’d want the same treatment.
So why are organisations still doing so little about their information security? They know the risks from a customer perspective – after all, it’s perfectly reasonable to believe that the people responsible for organisations’ information security entrust their own personal data to other organisations and expect it to remain safe.
The board know, but how much do they know?
PwC’s 2015 Information Security Breaches Survey found that 14% of respondents have never briefed their boards on security risks. While that number would ideally be 0%, 14% is nevertheless encouragingly low.
It’s clear, then, that the vast majority of boards know the risks, so why don’t they act? Haven’t the risks been presented well enough? Have the boards decided not to do enough about the risks? We don’t know. What we do know is that 90% of large and 74% of small organisations had a security breach in the last year.
That’s a lot of bubbles popping.
To the person(s) making the wrong decision
If you hold a person’s information, whether they’re your employee or customer, then it’s your legal and moral obligation to protect it.
An example I like to use is the AdultFriendFinder data breach. The organisation didn’t do enough to keep its data where it belonged and its millions of customers had very sensitive personal information posted on the Internet. Given the nature of the website, the exposure of this data will most likely cause severe stress for those affected.
As a CEO, CIO, CISO, CFO or other C-suite executive – how would you feel if your sexual preferences and intimate details were shared with all of your colleagues, friends and family? Not great, I’d expect, but it happens.
As a CEO, CIO, CISO, CFO or other C-suite executive – how comfortable would you feel about hundreds of thousands of criminals having access to your bank details? Not great, I’d expect, but it happens.
As a CEO, CIO, CISO, CFO or other C-suite executive – how would it affect your life if your identity was stolen and your credit score plummeted? Not great, I’d expect, but, hey, guess what? It happens.
Your customers keep your business afloat and you owe it to them to prove that they can trust you with their information. If you don’t, then you have zero right to expect the same elsewhere.
Start protecting your customer’s data. Download the below green paper to discover what you need to do to get started.