November 25, 2020
Organizations collect, manage, and share a large amount of consumer data, and if they misuse, abuse, or lose that data, they’ll lose consumer trust.
Globally, 81% of consumers make purchase decisions based on how much they trust a brand, according to the 2019 Edelman Trust Barometer Special Report, and 23% trust a brand more when they feel it’s protecting their data privacy and security. But only 34% of consumers say they trust most of the brands they use. Data breaches and careless data management break consumer trust, which leads the majority to take their business elsewhere. So how can you build trust? Through a trust-in-depth architecture – one that reinforces a culture of privacy throughout your organisation.
To create trust in depth, imagine your ideal data protection posture as the “Four Layers of Trust” – a hierarchy of tactics starting with defence in depth security, then user activity monitoring and forensics, data privacy and compliance, and finally, data governance.
Defence in depth security provides the foundation, but you should also look at how you monitor user activity, how long you store monitoring data, how you comply with privacy regulations and map to security frameworks, and how you report on the effectiveness of each tactic. When everything is working together, you have a winning structure for trust.
TRUST LAYER 1: DEFENCE IN DEPTH SECURITY
Defence in depth security utilises multiple layers of defence throughout an organisation’s physical and technical networks to secure and protect data. If one layer (a firewall, a password, a key card-accessed door) fails, others can stop security incidents or breaches from compromising your organisation’s most valuable asset – data.
A strong defence in depth strategy includes:
· Administrative security: Policies and procedures
· Physical security: Key cards, access codes on locked doors, workstation locks
· Perimeter security: Anti-virus, anti-malware, data loss prevention solutions, perimeter firewalls
· Network security: VoIP protection, proxy content filters, remote access, wireless security
· Endpoint security: Device firewalls, patch management, content security, anti-virus
· Application security: User activity monitoring, encryption, database monitoring
TRUST LAYER 2: USER ACTIVITY MONITORING AND FORENSICS
Once the data is secured, you can monitor which users access protected information. Many admins track changes to profiles and permissions sets, but true user activity monitoring goes much more in-depth. In Salesforce, you can monitor actions like creating users, changing security settings, accessing objects, running reports, and more. With tools like Salesforce Shield: Event Monitoring, you can access the user activity logs for more than 45 event streams – but you’d then have to parse those event logs for meaningful insights. The added risk is that pulling activity logs is reactive, unless you have a full-time data scientist to analyze logs and find suspicious access.
The right detection and visualisation platform helps build trust by:
· Interpreting user behaviours to identify and mitigate insider threats
· Going beyond monitoring and detection to deliver visualisation and alerts
· Delivering human-readable context with log transformations
· Speeding investigations with workflow automation
Look for a platform that delivers user behaviour analytics, establishing a baseline for “normal” behaviours to better detect abnormal activity (e.g., exporting 10,000 records in one day when, for the last18 months, they’ve only exported 50 records per month). You need to manage user activity monitoring data in compliance with federal and global security and privacy regulations. Many admins don’t realise their tools only retain logs for30 days while many regulations require a minimum of two years because it takes an average of 206 days to detect a breach.
TRUST LAYER 3: DATA PRIVACY AND COMPLIANCE
Following a privacy framework like ISO27001 or NIST can simplify compliance with privacy laws worldwide. Adhering to a framework covers a range of security and privacy requirements, meaning you’ll more than likely be covered for any regulatory requirements.
Privacy is a responsibility to consumers that reinforces trust. Expand your privacy posture by limiting the number of employees who have access to sensitive customer data, monitoring for abnormal user behaviour, and reviewing privacy practices regularly. By pursuing advanced controls that align with regulations and frameworks, you can firmly establish your company as a leader in data privacy.
TRUST LAYER 4: DATA GOVERNANCE
Every organisation needs a data governance program to mitigate financial loss and risk. By managing data availability, usability, and integrity, your team can count on consistent, high-quality data. You can then use this information to evaluate business operations, develop new systems, and increase adoption.
A robust data governance posture with clean, well-defined, reportable data influences:
· Adoption through data usability and standardising values
· Results by improving accuracy and consistency
· Value by establishing completeness and eliminating redundancy
Without a governance plan, your business could be susceptible to negative financial impact, productivity loss, compliance risk, and broken trust.
Governance should begin with a focused scope that gradually broadens once headway is made to clean the data. It’s necessary to begin with the singularly focused but complex challenge of enhancing employee data quality and creating data policies before you can move forward with cleaning opportunity, account, and contact data; defining data rules and dependencies; and remediating data issues and escalation.
In cloud applications like Salesforce, you can streamline data governance with a monitoring tool that provides detailed activity information at a glance, including abnormal user behaviour, page visits, field changes, permissions modification, and more. User activity monitoring can enhance your governance by tracking all activities surrounding your data.
TRUST IN DEPTH IN PRACTICE
With the right elements, you can establish a powerful security and privacy posture that reinforces trust and gives consumers confidence to entrust their data (and their business) with your organisation. Defence in depth security, user activity monitoring and forensics, privacy and compliance, and data governance help you construct a strong foundation that provides the value and trust your customers need.
For more information on how to foster trust in depth at your organization, contact Fair Warning, the proven leader in protecting the privacy of people and organizations by securing their most sensitive data.