Mr. Srinivasan CR is the Chief Digital Officer at Tata Communications.
A few years ago, an ideal weekend involved spending time with family and friends—perhaps at the mall, an appointment at the salon, or maybe dinner at a restaurant. Cut to an ideal weekend now—you eagerly await your online food delivery, you book yourself that salon appointment right under your own roof and you browse through Netflix or Hotstar, binge-watching the latest show. Your weekend is brought to you by your trusted mobile phone and the latest apps that allow you to cocoon yourself at home.
According to a recent survey, Indians have over 200 apps installed on their smartphones. We aren’t merely using apps, we’re bingeing on them. How many apps are we even using in a day? According to TechARC, a market research firm, most Indians use about 24 apps in all. But the mistake we make is installing a lot of apps that we seldom use, in turn exposing our devices to risks.
Click on ‘I agree’ to proceed
It’s safe to say that a majority of consumers today click ‘I agree’ on the never-ending Terms and Conditions while downloading an app or signing up for a subscription model, without reading to the end.Some apps ask for access to your contact list, gallery or location and often allow you to proceed if you accept.
A few months ago, most of us received a notification to delete Cam Scanner as experts at Kaspersky discovered there was a serious malware on the app, capable of stealing confidential data from your device. This is not an isolated event. In 2017, credit monitor firm Equifax disclosed a massive breach of personal information belonging to 143 million US consumers after their website was hacked. The data lost included basically everything from driver license number, credit card number, birth date, address, etc. resulting in half of their users losing their personal data. Given the magnitude of the breach and the sensitivity of the information, it is considered one of the worst corporate data breaches ever.
A robust security strategy goes a long way
If you think you are hearing about a company getting hacked almost every day, you may be correct. What’s now important is to understand how to curb these increasing attacks. For this, let’s look at data breaches from two perspectives: breach of an institution that people choose to entrust with their data and secondly, breaches of entities that acquire user data secondarily. The main issue is that even if your data is stolen or an unauthorised entity has your data, the repercussions of a data breach can only be delayed at best, sometimes not fully manifesting for years.
The problem is so abstract and far-reaching that often, security seems like a maze where the end consumer suffers the most. Usually, a majority of the data breaches occur because organisations make callous mistakes in implementing their security schemes, and they, in turn, become low-hanging fruits for hackers to pluck.
Another underlying issue is that CEOs don’t invest in the right infrastructure and human capital. According to Keeper Security’s 2019 SMB Cyberthreat Study, only nine percent of small and medium businesses rank cyber-security as a top business priority and this is a foundational problem; 25 percent surveyed said they don’t even know where to start with cyber-security, resulting in low investment. Large enterprises, while more mature, find themselves in a similar situation. The low investment is usually the result of an economic dilemma—but investing in the right cyber security tools today could save enterprises millions of dollars in the future. Thus, the potential impact of a hypothetical breach should always be calculated ahead of time and planned accordingly.
Managing brand and reputation risk
Another place where the security strategy goes wrong is tackling different problems with the same approach. For example, it’s not enough to just have a strong perimeter (firewall, spam filters, VPNs, etc) and a desktop security suite (anti-virus). The reason why these steps are not enough is that they are treated as one-stop solutions rather than part of a complete end-to-end security strategy. While ensuring a preventive security approach, leaders should also consider the period following a data breach and its impact on the company’s reputation. What a customer values most is trust and brands will need to work hard to regain that.
A case in point is the recent Equifax data breach mentioned earlier. The impact was severe—the CEO had to step down and shares plummeted. Equifax tried appeasing its consumers by providing free credit monitoring for one year, but the damage was done. Similarly, following the Cambridge Analytica debacle, Facebook users’ confidence in the company plunged by 66 percent as a result, with only 28 percent who continued to believe that the company is committed to privacy.
Earning brand loyalty after a data breach is tough. While this can be partially recovered by designing a contingency plan, there’s nothing like having a robust cyber-security strategy in place, right from the onset, which ensures no mishaps take place.
What we need is a holistic approach that is designed to include employee awareness, risk and compliance, and analytics to predict cyber-attacks and ensure network and infrastructure security. In the end, security is all about managing risk. To do that effectively, one has to identify the current issues in the organisation and identify how the improved measures would have an impact on the company’s security. They also have to cater to the skill gap as there are huge gaps in finding security experts who are aligned with the company’s requirements.
A fool proof cyber-security plan cannot be achieved overnight; it’s a process and there’s no better time to start but now.
The author is the Chief Digital Officer at Tata Communications.