In 2016 consumers were exposed to a larger number of high profile data breaches than any year previously – last year Yahoo disclosed the loss of more than half a billion customer records.
These events have helped raise public awareness around the serious threats to personal data that exist in the modern era. Awareness is also growing for some of the solutions that businesses and individuals can use to minimise the risks from data breaches.
Encryption is starting to gain some prominence in stories concerning data breaches, but do consumers actually understand what it involves, or how important it is?
Gemalto’s recent study has revealed that only 14% of UK consumers claim to fully understand what encryption is.
Some responses were surprising, including believing encryption to be a fingerprint scanner, a puzzle and a system which sends parts of messages over many networks to protect it.
In reality, encryption is the process of converting data to an unrecognisable form. An encrypted document will appear scrambled to anyone who tries to view it.
It can only be decrypted using the correct encryption key, which must be kept secure at all times. If consumers don’t truly understand the measures that businesses are putting in place to protect their data as this evidence suggests, they won’t be aware of how secure their data is.
This contributes to any concerns and uncertainty consumers may have when sharing personal data with companies.
Layers of protection
Businesses are increasingly starting to understand the potential financial damages that a data breach can incur, however they also need to consider the reputational damage too.
Educating consumers about the steps a business is taking to protect their data is crucial for building consumer trust and loyalty. If consumers are unsure of which protections are in place with a business, they may avoid dealing with them entirely.
Any business that suffers a data breach or gains a reputation for handling customer data insecurely will see consumers move to competitors they perceive to be more secure.
Additionally, with GDPR coming into effect in under 18 months, it will soon be mandatory for any business handling EU specific data, or doing business within the EU, to report any and all data breaches.
Any business found to be insecurely storing data will face severe fines. So, what can a business do to avoid this happening?
There are five key steps that any business must undertake when protecting their own, and consumers’ data.
First, in order for a business to begin protecting itself, it should organise a data sweep to understand what data it has produced or collected, and where the most sensitive parts of that data are stored.
Examples of personal identifiable information a business may collect include a customer’s email address, date of birth or financial details. Before a business can even think about how they’re going to protect their data, it’s crucial that they understand what they are trying to protect.
Employ two-factor authentication
The next step an organisation should take is to adopt strong two-factor authentication, which provides an extra layer of security should user IDs or passwords ever become compromised.
Two-factor authentication involves an individual having something they have – like a message on their smartphone – and something they know, rather than simply relying on something they know, such as a password.
Encrypt everything important
While two-factor authentication helps to stop information being taken in the first place, or accessed by people who don’t have the correct permissions, encryption gives a layer of security which stops customers’ sensitive data being used if it is accessed or stolen.
>See also: Who owns your company’s encryption keys?
This is why it is necessary for a business to understand where their most valuable data is stored before this step can occur. Whether the data is stored on your own servers, in a public cloud, or a hybrid environment, encryption must be used to protect it.
As consumers have seen in 2016, it is no longer a question of if, but when a data breach will occur. Companies need to approach protection with the assumption that they will be breached and employ the encryption necessary to protect their most important asset, the data.
Keep encryption keys safely stored
Of course, once a business is properly encrypting their data, attention must turn to strong management of the encryption keys. Whenever data is encrypted, an encryption key is created, and is necessary for unlocking and accessing the encrypted data.
Encryption is only as good as the key management strategy employed. Companies must ensure the keys are kept safe through steps like storing them in secure locations, in external hardware away from the data itself for example, to prevent them being hacked.
After all, there’s no point in buying the best locks for your house and then leaving the key under the mat for any passing burglar to pick up!
Educate staff and customers
The final step a business should undertake is educating both their consumers and their workforce on the processes they have undertaken to protect their data. And it doesn’t just end there.
Businesses need to employ a double-sided approach, educating both their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves.
This helps to build their understanding of how to protect the company’s data, and builds consumer confidence.
Only once a business has followed these steps, and educated their customers, can they be confident that they have adequate processes in place to protect their data.
The importance of an adequate cyber security strategy cannot be exaggerated enough, with recent research revealing that almost seven in ten consumers will happily take their custom elsewhere in the event of a data breach.
Additionally, an educated population of consumers will help encourage other businesses to improve their cybersecurity, ultimately leading to a more secure environment for both organisations and individuals to do business.
Sourced by Jason Hart, CTO, data protect at Gemalto