How can brands rethink data security to maintain customer trust?

Transcript

Robert Zirk: It's an email you never want to have to send to your customers.

Narrated email: ... been unauthorized access to company data, which may have included personal information...

Robert Zirk: IBM estimates the cost of a data breach averages nearly $3.9 million. And that's continually on the rise.

In addition, 21% of consumers stopped doing business altogether with companies that experienced a data breach, according to the 2022 Thales Consumer Digital Trust Index.

Annoyed customer: "I'll never shop there again."

Robert Zirk: Data breaches are top of mind for brands. Cyber attacks involving ransomware, phishing, denial of service or DoS attacks and other threats require organizations to be vigilant and proactive. And while there's a lot of complexity surrounding the world of cybersecurity, there's one guiding principle that can help ensure your company is on the right track. So today on questions for now, we'll ask: how can brands rethink data security to maintain customer trust?

Welcome to Questions for now, a podcast from TELUS International where we ask today's big questions in digital customer experience. I'm Robert Zirk.

Cybersecurity is a real concern for businesses today. The cost of cyber crime, as forecast by Cybersecurity Ventures, is set to reach $8 trillion in 2023 and exceed $10 trillion by 2025. So what is the cause for this increase in cyber crime and how is the threat landscape changing for businesses?

Steve Jablonski: It used to be a couple years ago that the big concern was malware. That's morphed to now identity: your password, your username, your credentials, certificates that coordinate to VPN servers behind the scenes.

Robert Zirk: That's Steve Jablonski, vice president of information security at TELUS International.

Steve Jablonski: Now we need to be able to protect the identities of our own users as well as any other credentials that could be used to compromise our systems.

And so the threat actors have weaponized that data against us. So they're maybe trying to see if you're reusing a password you may have used three, four years ago. Maybe username, maybe other credentials, other important information to try to phish you into trying to get you to download a link, trying to get you to give up more credentials.

Robert Zirk: Credentials that can be used by threat actors to access and take customer data, strategic assets, and other confidential information without authorization. I also spoke with Dr. Dave Chatterjee. He's an associate professor in the department of management information systems at the University of Georgia, the author of Cybersecurity Readiness: A Holistic and High-Performance Approach, and the host of the Cybersecurity Readiness podcast series. Dr. Dave spoke to the wide range of cyber threats that brands face today.

Dr. Dave Chatterjee: We are talking about phishing attacks, ransomware attacks, attacks from insider sources, IoT attacks and then adversarial artificial intelligence attacks.

That means a brand's reputation can be tarnished if the customer data gets stolen and is used for carrying out fraudulent transactions for conducting ID theft, if let's say the website of an organization is defaced and fake information is plastered on it, or if the company name is being used for nefarious purposes without the knowledge of the company. There are all kinds of possibilities.

Robert Zirk: And as new technologies emerge and become more widely used, so too do the types of cybersecurity incidents that can occur. The latest example is artificial intelligence.

Dr. Dave Chatterjee: The other day, I had a speaker in my class who's a AI expert. It took him 15 seconds to record the voice of one of my students and then use the voice for all kinds of activities. And that's how vulnerable we have become.

Robert Zirk: Steve warned that threat actors could use generative AI to make phishing attempts highly targeted, right down to emulating the tone, grammar and style of a colleague.

Steve Jablonski: The data can be enriched with data that they're finding out on the dark web that's being sold and it can be done at scale. So it's no longer one-off types of situations. It can be automated much more quickly and almost in near real time, in a lot of cases.

Robert Zirk: The consequences of a cyber attack might not be entirely clear when a breach has been discovered, as additional risks branch out from immediate problems.

Steve Jablonski: There's the availability of systems are down, so I can't access the system, I can't go onto a website and purchase things, or trade stocks or do whatever I'm supposed to do. The system's down.

Then there's a loss of data and that could be, in a lot of cases, very important data and data is targeted because data has a lot of value to it now and that data loss has a lot of consequences. There are all sorts of different regulatory agencies that can ultimately present some type of fine or other type of financial penalty for the loss of data.

And then there's the customers there in general. The customers may not be happy with you. You may lose a customer. There may be legal consequences from the customers as well.

Robert Zirk: According to McKinsey & Company, 40% of consumers and 52% of B2B purchasers have stopped doing business with companies that didn't protect customer data. And Revision Legal notes that for large companies impacted by data breaches, the time between the breach and legal settlements can take between three to five years. Dr. Dave Chatterjee acknowledges that it can feel overwhelming considering the risks that are out there. But every small step that brands take toward improving their cybersecurity counts.

Dr. Dave Chatterjee: Security or cybersecurity is a moving target. You can do the very best and yet you cannot be certain that your brand will not be attacked. But that doesn't mean that you stop doing what is called due diligence, stop complying with the requirements specified by the regulators and so forth. So it's a constant battle that organizations have to face when they're trying to protect their interests.

Robert Zirk: And part of that due diligence involves ensuring your vendors are taking cybersecurity just as seriously. Steve noted the importance of understanding the entire scope of technology your organization uses and how third party providers manage the data you input.

Steve Jablonski: It's important that we ask the right questions, we look for the right certifications. We want to make sure that there's a certain level of compliance, but then there's also a level of security assurance that they have strong controls that are out there.

And I think it's important that we have that openness and trust and we know where our strengths are collectively across the board. The threat actors, they look across the whole entire supply chain to try to find wherever the weakest link is to try to extract value, do their cyber crime or do whatever they're going to do. And we need to make sure that everything across, understanding where all those nooks and crannies are, that's really a, key important part.

Robert Zirk: It involves doing a thorough inventory of processes, procedures and technology for your organization and your vendors.

Steve Jablonski: So you first need to know what's out, what do you have, what are your assets, what 's on your network. We need to extend that to who really are our suppliers?

Robert Zirk: And along the way you or your IT department might discover what's known as shadow IT, which is...

Steve Jablonski: The onboarding of IT products and services outside of the normal technology channels. So it's usually services or products that are purchased directly from someone outside of the technology organization and usually the technology organization is not aware of those purchases that have been made. If you don't know what's out there, you don't know to secure it and you don't know to support it as well.

Robert Zirk: Steve referenced the importance for IT to be efficient and agile to ensure there is more communication between departments and so that you're not rolling out features or solutions to customers without vetting them first.

Steve Jablonski: We want to think about what are the requirements that we need upfront? What are the security and compliance rules that we need to follow? But we also need to be able to work at the speed that business needs to work at. We all know that once you've started anything, whether you've started building an application, whether you've started building a house, change becomes expensive. Change becomes timely. It either requires more resources to work on stuff. It may require wholesale changes. Doing this upfront, being mindful and thoughtful about it upfront, allows us to hopefully anticipate any of the security challenges that we're gonna have further down the road.

It also allows us to think about, what are the compliance requirements that we need to have once we've gone live or we've gone into production so that we're not coming in after the fact and trying to claw back and take away certain functionality in the system that may have been really helpful and useful to the end customer upfront because it doesn't meet the security or compliance requirements that we have.

Robert Zirk: Needless to say, there are a lot of potential cyber threats and pitfalls to watch out for. Once you're aware of them and ready to rethink your brand cybersecurity process, what's the next step to take toward preventing cyber attacks?

Steve Jablonski: I'm gonna rehash sort of an old principle, which is security by design. We talk about this notion of shift left where you, when you develop code, you're developing secure code as part of the design process rather than being a bolt on once you've developed and deployed something.

Robert Zirk: But security by design extends beyond just code. It involves keeping security foundational to your organization and its processes.

Steve Jablonski: How can we enable the technology that we have? How can we train the people so that they're that human firewall, we continually train all of our team members, all of our customers, so that they're aware of these threats that are out there? And then how do we set up processes so that the security is built into it? So when we start thinking about whatever customer facing processes we have, or whether they're internal processes, we're bringing forth security principles into all three of those.

Robert Zirk: Dr. Dave Chatterjee sees security by design as a mindset that approaches security proactively at every step of development.

Dr. Dave Chatterjee: It's an approach of taking every possible measure to minimize the risk of being attacked and also minimize the consequences of attacks. Whether that means following a defense in depth approach where you use a mix of physical, technical, and other forms of controls to have layers of security that's going to be hard for the hackers to penetrate, to get to that desired asset. Or whether we are talking about the application of the least privilege principle where you, by default, the level or the extent of access provided to the users, is bare minimum. So even if I'm compromised, my extent of access of the systems is so minimum that the hackers can't do much by getting my credentials. That's kind of the thought process.

So then, if you prevent that by creating all kinds of network segmentation, maybe secure certain networks more robustly than others, there are ways of making it difficult for the hackers to penetrate multiple systems. So a lot of thought needs to go into securing the enterprise, securing the data that is being stored in the enterprise in the various systems.

Robert Zirk: This shift in mindset requires you to rethink how your organization operates to optimize security, as Steve mentions.

Steve Jablonski: It takes a lot more forethought of who you are, what you need to have access to, and we want to make sure that we're mindful about that so that people can do their work and they can do their jobs.

The older approach was, "Hey, let me give you access to everything on this drive." Now we're starting to think about what specific data do you need access to? What specific parts of what applications do you need access to? So it's getting into that kind of finer detail. Optimistically, the way that it works is if a threat actor compromises a network and they get in, they don't have access into anything they haven't been given the credentials to get into it.

Robert Zirk: This approach is a great start. But it's important to consider that rethinking your brand's data security is an ongoing process that has to evolve over time.

Steve Jablonski: If we think about what was in the medieval times, and even going back to the Romans, what was considered a secured fortress, a castle, or some other type of keep or something like that, we built these massive structures. We may have added new walls, new layers of security, physical layers of security, to combat the threats of the time, but then gunpowder comes along and gets pretty easy to punch through those walls so we had to think of different ways of providing defense at that point in time.

And we have to think about security the same way. There's a certain point where we just can't continue to layer controls on. That gets to be expensive and sometimes it's rendered ineffective by the threats that are out there. So it's important that we have to have the courage to rethink the way we do things sometimes, even though it may be scary,

Robert Zirk: And speaking of scary, what can happen when security by design isn't top of mind and you maintain the status quo? Dr. Dave shared the downsides of a reactive approach.

Dr. Dave Chatterjee: It's like, you know, checking the box of the compliance requirements at as minimum a cost as possible. And then taking the approach: "We'll deal with it if we were to get hacked."

And so when organizations got hacked and they didn't have a very good disaster recovery plan, everybody's trying to contact everybody, trying to figure out what's the next step, what should they be doing? And there are numerous such cases where this has happened.

Panic sets in. At one level they're trying to decide how to communicate with the investors, at another level they're trying to decide how to communicate with the victims. Then they're thinking, "What do we tell the media if it's a public company?" And then, of course, there's a court of law.

So they then have to fight many battles. And if they're not prepared for these kinds of scenarios, if they haven't rehearsed their recovery, they're in huge trouble.

Robert Zirk: So if you want to operate under the principle of security by design, but don't know where to begin, how do you get started?

Dr. Dave Chatterjee: It's never too late to get on the track of proactive cybersecurity. It's never too late.

Top management has to lead the way. They set the tone, they set the standards, they set the culture and they do it not just by talking about it - by actively engaging in the process. I have seen in many exemplar companies, senior leadership are part of the security strategy formulation team, security strategy implementation team, security performance review team. They find ways of staying plugged in so they are in the know of what the strengths are and what the vulnerabilities are at any given point in time.

Robert Zirk: It may require more effort and more investment, but a security by design approach can actually represent an opportunity for brands.

Dr. Dave Chatterjee: A guest on my podcast made a, I thought it was a very profound statement.

He said, “Dave, I wish more senior leaders would consider cyber threats as a strategic opportunity.” They should take it as a challenge to create capabilities, competencies which would allow them to reach out to potential customers and say, "Hey, if you keep your data with us, your data will be more secure because we care about security. Cybersecurity is one of our core competencies. It is integral to the mission of our company." Being very secure allows a company to promote their brand, to increase the customer base. So it's a win-win.

There is a myth out there that you can either have convenience or you can have security. You can't have both. Well, maybe at some point that was true, but today, if you have to be competitive, you have to provide both. You want to provide customers a very intuitive, easy to use kind of experience, but they also want to be assured that their privacy is not being compromised and their data is being protected.

So that's kind of the way organizations, the leadership needs to think about security. Security as a strategic opportunity.

Robert Zirk: Building security into the customer experience can also strengthen the trust customers have in your brand.

Dr. Dave Chatterjee: Customers are not only looking for the best quality products at the cheapest possible price, but they also want a very secure experience. They want to be able to trust the brand owners, the brand providers with their data. So to be able to create that trust, and at the same time offer a great user experience, are really the benefits of a proactive security by design approach.

Robert Zirk: So what are some tactics brands can employ to maintain good cyber hygiene? Steve mentioned that being conscious of how and where data is stored is important on a professional and personal level.

Steve Jablonski: Being a parent of teenagers, we've taught our kids be careful what you post online because you never know where it's going to go. You never know how long it's going to sit around for. And we have to have the same approach when we think about everyone. It needs to have that same care of you don't know where your data's going to be used and where it's going to end up. And long it's going to persist for. There's a lot of data retention requirements that we have. We want to make sure that we retain things for a certain period of time, and in some cases, we don't know how long that data or information's going to be retained for online or how many lineages it goes through.

Robert Zirk: A brand's employees are its first line of defense - that human firewall, as Steve mentioned earlier. To expand on that, he shared some factors that everyone in your organization needs to be aware of.

Steve Jablonski: Oftentimes we're given employee credentials and we may use those credentials to go to third party websites. We're either downloading information from maybe a vendor or we're sharing that information maybe on insurance sites. Or other things that we use as part of our normal employee experience. We just need to be mindful about where our identity goes.

We also need to be, from a cyber hygiene standpoint, we need to be aware of where you're going online, what you're clicking into, what you're not clicking into. You need to be cognizant of what you share out, so what you're sending via email or other mechanisms outside the organization. These are all very important things.

In some cases, you get a message from your IT department, usually at the most inopportune time that says "Please update your system". I would strongly encourage everyone not to postpone those. There's a reason why those messages go out. So making sure that the systems are appropriately updated across the board.

Robert Zirk: Dr. Dave Chatterjee stressed the importance of making security a core part of your company culture, where it's the responsibility of everyone in the organization. And that extends to awareness and training, which needs to evolve beyond the annual mandatory cybersecurity training modules.

Dr. Dave Chatterjee: Those training modules are good. I've got nothing against them, but I think exemplar organizations need to go further than that. They must customize the training. It must be role-based. They must make training more immersive, gamified, and continuous. So don't try to train people at a point in time with a lot of information, and then they go away, they forget half the things they learned.

Robert Zirk: One simple way of gamifying it, as Dr. Dave suggests, is to make it bite-sized, like Nerdle or Wordle, where it's one single puzzle every day, and you have the incentive of trying to keep your winning streak alive.

Dr. Dave Chatterjee: How about taking a similar approach to enhance cybersecurity awareness in a fun way? Pose a question every day on an email that goes out to every organizational member, and when I say pose a question, it could be done in different ways, but get people thinking a little bit about cybersecurity.

And if you do that every day, one question at a time, over a period of time you'll find you have raised the organizational level of awareness without making a big deal out of it. And the training must be complimented by good assessment mechanisms so you can measure the effectiveness of the training.

Robert Zirk: When you're working out of a large office building, it's not uncommon to have fire drills several times a year so that everyone knows what they need to do and where they need to go in case of an emergency. Dr. Dave suggests organizations implement security drills to instill that same level of awareness and confidence.

Dr. Dave Chatterjee: How many organizations do real security drills, which are more than tabletop exercises? I realize that some of this might not be very practical, but my suggestion to organizations are do the best you can. Maybe do it unit wise, narrow the scope, but then still do something which closely simulates what could happen in reality when disaster strikes. So make it a real rehearsal, a real practice, as opposed to something which, yes, you, kind of, check the box. "We have tabletop exercises." But when you have to deal with it in a live situation, the organization really doesn't have the skillsets to deal with it. So to be able to create that muscle memory, the organizational competencies, you have to work on them over a period of time, little by little.

I like to use the analogy when, you know, I'm a big tennis fan and I love to see how professional players get trained. Every day they're hitting a hundred, 200, 300, 400 balls and they're developing muscle memory. They're serving 300, 400 serves every day. So there comes a time where, where they close their eyes and they can still serve, and the serves are good. It doesn't happen overnight, it takes time.

So therefore, organizations must look at cybersecurity as a long-term process. And that's why I emphasize the importance of trying to create and sustain a high performance information security culture.

Robert Zirk: Building muscle memory to respond to a threat is important, but preventing a threat in the first place can be even more beneficial. As cyber threats evolve, how can organizations stay one step ahead? Dr. Dave highlighted threat monitoring services which, in addition to being a proactive measure, can also help facilitate important documentation of potential and actual threats and vulnerabilities.

Dr. Dave Chatterjee: Let's say an organization has hired third party service providers who are monitoring the environment, sharing intelligence, threat intelligence, and alerting the organization of vulnerabilities that could be compromised.

When an organization receives such intelligence, what structures and processes are in place to promptly process the intelligence, log it and act on it? Even if the organization decides not to act on the intelligence, they must document the reason why they choose not to act on it. Such documentation of intelligence and the decisions taken based on the intelligence - there has to be a history. In the court of law, you should be able to show the judge and the jury that we gathered intelligence on a regular basis. This is where it's logged. This is the team that reviews it.

Robert Zirk: And it's crucial to identify critical assets and data and create regular backups to ensure a quicker recovery.

Dr. Dave Chatterjee: If security is breached, what can't you afford to lose? And then you start prioritizing. And once you have prioritized, then you decide what level of security you need to protect your assets.

Now that we know what we can't afford to lose, what have we done about it? How are we securing our data? For instance, let's say soon after this discussion, I find that my computer has been seized. I no longer have access to my files from my laptop or my desktop.

Will I start sweating? If the answer is yes, then I don't have a good cybersecurity defense in place. I should have backed up my data both offline and online and I should have tested the backup.

Robert Zirk: Although it may add an extra step to your processes, it's well worth the peace of mind.

Dr. Dave Chatterjee: You know how it is with the ransomware attacks. Even after you pay the ransom, there is no guarantee that you'll be able to recover all the files that they encrypted.

The average period of time it takes for a company to recover from a ransomware attack is 21 days. But if you're really prepared, you can recover within seven days or maybe pushing it, within three days.

That's a huge saving from an operational, from a revenue generation standpoint, from a cost saving standpoint. So that's how organizations, individuals have to think. Simplify it. You don't have to remember a hundred different controls. Ask yourself: what's most important to me? How have I secured it? Do I have a defense in depth strategy? If one particular server got compromised, do I have it somewhere else?

Robert Zirk: Preparedness is crucial to consider, not only in the context of ransomware attacks, but also in a broader approach to security and operations. Even with the strongest security processes and systems, data breaches can still occur. How do you address them when they happen? Steve says what matters most is how you react and engage with your customers.

Steve Jablonski: If we think about the notion of resiliency, whether that's cyber resiliency, whether that's operational resiliency, whether that's resiliency in our own personal lives. When something goes wrong, how do we react? And sometimes we can't react. We may be compromised, systems may be down, there may be outages or something out of our control. But how do we build in the appropriate redundancy and resiliency so that we can still continue to operate?

And as long as we know from the customers that the customers are aware of, "Hey, we know we're operating at this capacity, at this diminished capacity, but we're still operating and we're still functioning and we're still moving on."

Robert Zirk: And Dr. Dave Chatterjee agrees that action needs to take priority. underpinning sincere communication.

Dr. Dave Chatterjee: Take corrective measures first, then talk about it. Actions speak louder than words, so do the things that you should have already done.

I'm a huge fan of honesty, candor, transparency. Be upfront in your communications with the various stakeholders. State clearly what happened, why it happened, what were the lessons learned, what mistakes were made, could they have been avoided?

That should be the approach. But it has to be really genuine.

Robert Zirk: Steve noted that customer trust is something that can take years to build and only moments to lose.

Steve Jablonski: And trust, I think, we know is built on communication. That's the fundamental - that is, it's communication and it's action. So it's: how do we act and how do we communicate what we're going to be doing? So as long as everyone's aware of what is happening, what's going on, and what's the actions that we're taking? It's very important.

Robert Zirk: And while Steve notes that a lot of smart people within organizations and the broader cybersecurity community are always trying to stay ahead of future threats, sometimes there are incidents that they couldn't have anticipated. But amid those concerns, Steve sees hope for a future that's more cyber secure.

Steve Jablonski: There's a lot more accountability and care that we have, both in our personal lives and in our professional lives, about how we treat data. There's a lot of thought and a lot of dialogue, and I think people are starting to understand what their potential exposure is. What they've shared, and what they don't really need to share, out into the world.

The other thing that I'm really hopeful about is I think that there is a lot more security being thought about and built into everyday applications now. So that's something that we start to think about, and how can we get ahead of those threats? It's that increased conversation about vulnerabilities and weaknesses and trying to get around those.

Robert Zirk: And in conclusion, Dr. Dave reinforced the importance of planning and proactiveness when it comes to security.

Dr. Dave Chatterjee: I'm not here to paint a negative picture. I'm here to paint a realistic picture.

Try to be as prepared as possible and be very substantive in your security approach. Don't wait for a legislation to tell you what to do. Do it because it is the right thing to do. And I say this to the leaders of organizations large and small: don't treat security as a side function. Treat security as a core function. Treat security as a core capability. Treat security as a strategic opportunity.

Robert Zirk: Thank you so much to Dr. Dave Chatterjee and Steve Jablonski for joining me and sharing their insights today. And thank you for listening to Questions for now, a TELUS International podcast. For more, be sure to follow on your podcast player of choice. And until next time, that's all... for now.