Your customers may not tell you, but they’re moving their business to companies they trust with their private information.
That’s the conclusion of two recent studies on consumer responses to recent data breaches. A TrustE survey reports, “89 percent of consumers … said that they avoided doing business with companies they do not believe protect their privacy online.” Forrester Research1 agrees: “A significant group of ConsumerVoices MROC members say they will disengage with a company entirely if their privacy is violated — and some have already begun to do so.”
Even Google, notoriously resistant to changes in its search algorithms, is trying to help. The giant search firm is now altering the rank of search results based Google’s assessment of website security factors, starting with site encryption, hoping to make the web safer for consumers.
Consumers can’t help being concerned about security. Nothing focuses the mind like a couple of billion username/password combinations being stolen, as in August’s CyberVor breach. That comes on the heels of the vast Heartbleed bug of April, 2014, revelations about NSA snooping and the steady cadence of widespread breach disclosures in shopping and financial sites since late 2013.
As in any panic, some of the responses are more valid than others. David Kidd, QA and compliance director at Peak 10, says, “While small business professionals are completely justified in investigating their partners’ security practices, some concerns are less realistic. Like: what are hosting companies doing to protect customers from the NSA? Believe me, if the NSA wants the data, they are going to get it. But it’s an indication of genuine anxiety.” If your enterprise is subject to regulation, such as the HIPAA privacy rule, there are stringent guidelines both for private information and for systems security that you are obliged to follow.
Kidd points out that the relationship between security and privacy remains unclear for many enterprises. “Privacy means that I own certain information – it is precious to me. If I share it with another person or company, I expect them to handle it right – that’s security. It’s a matter of trust between the individual, the company, and the company’s business partners.”
Misinformation does not equal apathy, however. The Forrester Research report observes, “Even individuals who’ve educated themselves are confused about many of the practices within the consumer data ecosystem. But treating that misinformation as apathy would be a mistake; consumers want trustworthiness from the businesses they interact with.”
What should the savvy enterprise do? Customer loss is a straightforward financial concern. Less measurable but equally important is eroding company reputation that leads to fewer new customers. And there’s the simple ethical desire to do the right thing for customers who trust their information to you.
The answer is a combination of steps behind the scenes and actions in public.
First, focus your internal structures on security and privacy. “Smaller companies have recognized the need for centralized security and privacy oversight,” says David Kidd. Leaving security to departmental silos is a prescription for inefficiency and mistakes. The title of “security officer” – even as one role within an individual’s portfolio of duties – ensures that cross-functional issues get addressed at the company level.
Internal errors have a huge potential to cause you grief. Human error accounts for 30% of data breach incidents in a global study by the Ponemon Institute. “One of the largest hidden risks is simply that people can mess up,” says Chris Monroe, a solutions engineer at Peak 10. Malicious outsiders can do enormous damage, but often it’s the carelessly unlocked door that gives them access in the first place.
Second, work with partners you can trust. In our connected world, there’s a long chain of trust that begins when an individual offers you private data. “Customers entrust our clients with their private information,” says David Kidd. “In turn, our clients rely on us to keep it secure to the very best of our ability. It’s our duty to support our clients with reasonable and appropriate security measures in every service we provide for them.”
If your enterprise is subject to regulation, such as the HIPAA privacy rule, there are stringent guidelines both for private information and for systems security that you are obliged to follow. Your IT partners – and indeed all partners privy to this data – need to be expert in the compliance regulations that apply to you. “You have done your due diligence,” says Kidd, “by selecting a cloud, hosting or colocation provider who will do everything possible to keep your systems and data secure.”
Third, talk about it. Once you have your act together, make sure your customers know that you’re on their side. This is the time to build – or rebuild – trust. Blog about it, create targeted customer emails and give security information to your call center employees. Reassure and educate. Clear up misconceptions and suggest ways for your customers to succeed.
When you speak in public, speak judiciously, since bragging publicly about your security measures might invite adventurous hackers to challenge what you’ve done. But don’t hide all of the work you’re done to inspire customer confidence.
At the same time, make partners and regulators aware of your concerns. Become a voice for customers in the larger world, and you achieve two things. First, you become a trusted ally to your customers; that’s good for business. Second, you create change in your corner of the world; that’s just plain good.
Your customers live in a scary world. Three-quarters of them are more worried now than they were just a year ago, according to the TrustE survey. That’s not going away in the near future. However, with the right organizational focus, trustworthy partners and the right public messages, you can help them feel confident doing business with you.
1 Evolving Consumer Attitudes On Privacy, Forrester Research, Inc., July 28, 2014. (access for subscribers only)