When developing a security plan, most organizations turn their focus internally to protect business interests. That used to work because most people didn’t give cybersecurity a second thought — that is, until their personally identifiable information (PII) was affected. But that isn’t the case anymore.
With the increase in very large, high-profile data breaches and regulations such as the General Data Protection Regulation (GDPR), consumers now care about security and data privacy, and they want to make sure the companies they do business with are taking action to protect customers’ PII. According to a study from The Harris Poll and Dtex, Americans are demanding organizations do a better job at cybersecurity and protecting personal data. The challenge for organizations is to enact security policies and systems that meet enterprise objectives while also addressing consumer privacy concerns.
Digital Monitoring Is the Primary Concern
The security and data privacy issue that concerns Americans most is digital monitoring. The majority of consumers don’t mind that their PII is being digitally monitored — they understand this helps organizations streamline business operations — but they want transparency. In other words, they want to know what information is being used and why.
It isn’t just consumers that demand this transparency. More than three-quarters (77 percent) of those surveyed in the Harris Poll/Dtex report said they want their employers to be transparent about how employee information is monitored. Transparency is such an important issue that the vast majority of Americans (71 percent) would turn down an employment opportunity if the prospective employer was not upfront about digital monitoring.
Consumers and employees understand that monitoring of digital identities is often done in the name of improved cybersecurity — that this will protect them in the long run — and the security angle plays a role in their perception. But it stops with the workplace; consumers don’t want a Big Brother monitoring their personal devices, even when they are used in a business setting. They also worry about the amount of digital monitoring that occurs in social media, banking, government and even retail. Again, they don’t like being watched, but recognize that this will help organizations provide better security.
Still, most people don’t believe they can do anything about it. According to an ExpressVPN study, 89 percent of Americans think they should have some control over how companies, especially the big tech companies, share the PII they gather, but barely half (52 percent) believe that will happen in 2019. Even with the spotlight shining brightly on security and privacy, Americans simply don’t trust organizations to keep their personal data safe. Cybersecurity of personal data is taken out of their hands once they share the information. According to Harold Li, vice president of ExpressVPN, it shouldn’t be that way.
“Privacy is a fundamental right, and internet users should be in control of their personal data and how it should be used,” he asserted.
Develop a Security Plan That Works for Everyone
We know what consumers want when it comes to the protection of their digital identity. Now it is up to every organization to find a way to develop a security plan and put together a cybersecurity system that addresses consumer concerns while providing optimal business operations.
This begins with understanding why and how consumers’ PII is used for business, which requires internal security leadership to meet with other business units to understand how each uses and stores consumer and employee data. Marketing will use this information differently than human resources and accounting, for example, and providing the right security and data privacy solution can’t be a one-size-fits-all approach if data protection and transparency is the goal.
The growing number of privacy laws will also impact any security policy, and leadership has to go beyond the regulations already in effect. Security and privacy systems have to address more than just the GDPR and the California Consumer Privacy Act (CCPA), or newer laws in Colorado and Illinois. Instead, leadership must anticipate what is coming, possibly from a federal level, and recognize that how they handle privacy concerns today isn’t going to meet next year’s demands.
Security policy that deals with data privacy also needs to address the concerns of consumers. As Americans become more savvy about cybersecurity, they will expect organizations to put greater emphasis on protecting PII and to offer more transparency around digital identity monitoring. If your organization isn’t willing to meet consumer expectations, they will take their business to a company that will.
Finally, no organization can improve its security and privacy policies without improving internal behavior. More emphasis needs to be placed on data privacy training and transparency. Just as employees should receive education on how to identify a phishing email or avoid downloading malware, they should also be well-versed on what constitutes a violation of data privacy.
Consumers are more aware than ever about cybersecurity and its risks. They understand that they willingly turn over a lot of personal information, and now they want organizations to step up efforts to protect that data’s privacy. The onus to meet the challenge of consumers’ security and privacy expectations is on the enterprise. Developing a security plan around consumer concerns is a good first step.