Four Steps To Customer Data Privacy

 

 

Personalization is key to delivering engaging experiences but recent high-profile privacy abuses have made customers wary of how companies are using their personal information. They are increasingly reluctant to provide their data and increasingly worried about what’s being shared without their knowledge. These attitudes are reflected in the diverse geographic, industry and corporate privacy regulations that you need to take seriously.

Follow these four steps to prove yourself a trustworthy partner to your customers and protect yourself from the penalties of regulatory violations.

CREATE A UNIFIED VIEW OF YOUR CUSTOMERS.

The first step toward protecting the privacy of customer data is to have it all in one place. This includes basic information such as name and email address, sensitive information such as credit card numbers, unstructured data like purchase history, as well as critical consent permissions. Migrating or synchronizing all of this into one secure customer profile gives you customer insights that enable consistent crosschannel personalization, and it makes it much easier to protect and control all of your customers’ critical data.

 

COLLECT AND ENFORCE CUSTOMER CONSENT.

Many regulations, such as CCPA and GDPR, have directives that require you to collect consent, with hefty fines for violations. That means collecting and storing attributes that indicate which applications customers have agreed to share their data with, particularly external partner apps. Develop user-friendly interfaces to allow customers to see who has access to their data and manage which attributes they’ve consented to share. Providing this type of insight and control—and faithfully enforcing it, not just collecting it—will reassure them that you’re being a good steward of their data.

 

ENFORCE FINE-GRAINED DATA ACCESS GOVERNANCE.

Beyond saying either “yes” or “no” to an application when it requests access to a customer profile, you also need to control access to specific attributes. For example, a thirdparty marketing service may need API access to customer names, email addresses and opt-in preferences, but not transaction history. Customers may also want to restrict sensitive attributes from being shared with certain partner apps. Fine-grained data governance will ensure that you can enforce customers’ consent decisions.

 

CREATE CENTRALIZED POLICIES.

Meeting privacy regulations is nearly impossible when you’re trying to enforce those rules on an app-by-app basis, especially when the regulatory environment is in a constant state of flux. Centralized policies allow you to apply the same data access governance rules to all applications, so you can more easily stay up to date with the latest regulations (and demands from your customers). Application teams can request data the same way they always have, but only receive data and attributes that are compliant with regulations and customer consent decisions.

 

It’s Time to Change the Cybersecurity Metaphors We Use

Source: Pat Muoio, Wall Street Journal

 

There’s a lot to be learned from the words we use to describe things. Cybersecurity is a case in point.

The prevailing metaphor people use when they talk about cybersecurity is that of attack— of cyberwar and cybercrime. It’s understandable, but such language aims our solutions outward at the attacker, with tools focused on things like perimeter defense, threat assessment and analysis of attack surface. In short, we focus on the bad guys.

Contrast that with the notion that cybersecurity is all about keeping an organization’s systems healthy. Now our attention is turned to internal monitoring, avoiding risky behaviors, closing down vulnerabilities—the open wounds that let bad things take hold. We examine ourselves.

This isn’t a semantic issue. The focus on the perimeter—or how the bad guys are getting in this time—forces organizations to fight back on the outsider’s terms. They end up chasing after new tools to prevent the attack du jour, without thinking how those new tools might interact with the cyber defenses they already have in place. In short, organizations give up the home-field advantage that comes from having detailed knowledge of their own systems and data.

Consider phishing, where hackers try to entice people to click on bogus links in emails with the aim of stealing user credentials. The success of phishing gave birth to cyber tools that let users know if links are safe to click. Yet phishing is just one of many ways hackers steal credentials—they also do it via password guessing, keystroke logging, even stealing the sticky note on which a password is written. Deploying separate tools to protect against each of those attack methods isn’t practical. Two-factor authentication, however, makes stolen credentials useless regardless of how they are obtained. This is a solution that addresses the correct operation of a system, not the specific type of attack itself.

Regardless of how a breach occurs, there is a very limited set of actions hackers can take to execute an attack once they gain entry. These actions enable the hacker to become privileged users on the system and to steal, encrypt or corrupt data, or to execute commands that can cause the system to break down. Detecting and neutralizing these universal actions is easier and more efficient than trying to detect every which way those actions might be combined or every trick hackers might use to evade detection.

All of this makes a compelling argument for talking about cybersecurity in terms of health rather than attack. This change of rhetoric will get organizations thinking about systemic solutions based on their understanding of the systems they create and run. Now the bad guys don’t dictate the terms of engagement.  They can use whatever techniques they want to disguise their approach because the approach doesn’t matter. If organizations can stop hackers from executing, they don’t have to stop them from getting in.

One big benefit of this way of thinking is that organizations can achieve full protection with fewer solutions. They don’t need to constantly assess the threat environment; that activity becomes the purview of security researchers, not a task that needs to be done by every organization trying to secure a system. An attack by Russia is neutralized the same way as an attack by an amateur hacker because when it comes down to executing, they have the same set of actions available to them.

This may not be as glamorous or dramatic as the idea of engaging in a mind-to-mind “war” with hackers, but it is much more effective.