By Gary Cheetham, Chief Information Security and Data Protection Officer at Content Guru
We are currently in the midst of a data explosion, and the amount of data being created is continuing to grow at a rapid rate. As a result, it is more important than ever before that all data is managed, stored and secured correctly. Data Privacy Day, held annually on the 28th of January, provides the perfect opportunity to reflect on how to best achieve effective data security protocols and the steps that can be taken to ensure data is secure.
Gary Cheetham, Chief Information Security and Data Protection Officer at Contact Centre as a Service (CCaaS) provider Content Guru spoke to Technology Dispatch about the challenges that are being faced as brands leverage customer data to improve experiences and why gaining and maintaining trust is critical, once trust is lost it takes a long time to regain if possible at all.
TD: With customers increasingly demanding data-informed personalisation, how can businesses ensure that data is kept safe?
GC: To deliver seamless experiences in today’s connected world, businesses must store a huge amount of customer data. When used appropriately, data can unlock the potential of personalised experiences for customers, which is now a key differentiator between brands. Businesses can also leverage data to help create an engaging and productive work environment for employees through tailored communication, feedback, and recognition. With a huge amount of data at stake, businesses must protect their employees, customers, and assets from cybercrime; to keep trust high and the risk of data breaches minimised.
As we move towards increasingly personalised, data-driven environments, the amount of data collected will increase exponentially. The total volume of global data stored is predicted to exceed 200 zettabytes by 2025—that’s two hundred billion terabytes—with over half stored in the cloud. As a CCaaS provider, Content Guru sees it as an imperative that all data stored or in transit is safe at all times, for the security of our customers and employees. The more data there is to store, the harder it will be to keep that data safe from attacks, so cybersecurity systems and processes need to keep up with the demand.
TD: How can businesses protect themselves from data loss, phishing attempts, and malware?
GC: The average cost of a data breach, globally, is approximately £3.8 million. More importantly, breaches can shatter consumer trust and eradicate long-standing business reputations. It is essential that businesses implement robust security measures to protect this data from unauthorised access. Businesses can begin by taking simple cybersecurity measures; multi-factor authentication for all staff log-ins, and role-based access to ensure that only authorised staff, such as C-suite members, can access secure business assets. These methods add another level of security to help prevent data leaks and cyber-attacks. Basic cyber hygiene is frequently overlooked but is an essential component of a good security and a lack of it has been the cause of recent security vulnerabilities.
It is essential for any business to stay up to date on the latest security threats and implement measures to protect against them. Performing vulnerability assessments and penetration tests to identify potential security vulnerabilities, such as weak passwords, unpatched software and inadequate cybersecurity features are major exercises that should be scheduled on a regular basis, particularly after significant system upgrades or a change in the security theatre. Once identified, these problems should be resolved immediately before an attack has the chance to take place.
TD: What role do employees play in keeping a business secure?
GC: Employees play a huge role in data security. Over 80% of security breaches involve some kind of human error and the UK Information Commissioner believes that employee complacency is the “biggest cyber risk businesses face”. Failing to provide adequate cybersecurity training for staff could lead to problems later down the line, along with huge fines. Training should be provided during on-boarding procedures, which each employee should repeat annually.
The most effective cybersecurity policies encourage the backing and support of the whole organisation as a team—after all, it is everyone’s responsibility to maintain the security of the business. As part of the induction process I tell participants that I have the largest team in the organisation as they are all members of my team! Fun ways to introduce cybersecurity safety into the workplace is through the use of incentives which could motivate otherwise reluctant members of the team to participate in bolstering the cybersecurity of the business.
Different types of cyber threats can reveal weaknesses in different areas of a team. Phishing attempts, usually sent by email, were the most common threat last year: 83% of all UK businesses who saw a cyber-attack identified it as a ‘phishing’ attempt. Staff should be kept up to date on any changes to policy, and can be sent mock phishing emails to test their ability to identify and report cybersecurity threats.
TD: Are some employees more at risk than others? What procedures should be in place for them?
GC: Employees working remotely are more at risk of cybersecurity breaches. Insecure home environments, poorer physical security and outdated security software all contribute towards an increased risk of a data breach. Staff living with family or in shared housing are further at risk, especially if their work-from-home setup allows other members of their house to see sensitive data left on their screen. Devices must be locked when unattended and device use should follow any company usage policies.
Remote working staff should be given additional opportunities for cybersecurity training and can have additional measures put in place to protect their online safety. This includes a business remote-access virtual private network (VPN) to help protect them from unsecured home or public Wi-Fi, providing an encrypted link between the office and their hybrid workspaces.
TD: If the worst was to happen, how should businesses respond to IT attacks and data loss?
GC: The average time it takes to identify a data breach is 212 days. That is 212 days that criminals have potential access to your business’s private information, such as customer payment methods, financial information, staff information, and private company materials. It is important to have incident response plans in place to quickly and effectively answer any security breach to both customers and regulatory bodies (if required). This includes having a designated incident response team, regular training for employees on how to respond to security incidents, and clear communication protocols in place to ensure a rapid and coordinated response. If the worst was to happen, swift responses can help minimise data loss, decrease recovery time, and strengthen customer trust.