A company’s ability to keep data safe can directly affect whether customers trust the organization and remain loyal over time. According to Shred-it’s 2021 Data Protection Report, more than 8 out of 10 consumers decide which companies to do business with based on their reputation for information security. In part, this is because consumers feel less confident about the security of their personal data than they did a decade ago — and they have reason to feel this way. Nearly 70% of consumers surveyed have been personally impacted by a data breach in 2021 as compared to 53% in 2020.
Unfortunately, consumers tend to have low confidence when it comes to businesses and data security. One in three consumers believe that companies fall short in terms of timely, transparent communications around data leaks, and there is a general perception that these incidents only come to light when the company gets caught or is forced to reveal the event.
Trust can quickly erode if an organization experiences a breach but does not manage it well. Although consumers may wait and see how a company reacts to the security lapse before making any decisions about their future relationship with the organization, people may choose to sever ties — especially if they feel the organization was not transparent and appropriately responsive. Nearly 1 in 4 consumers will stop doing business with a company if their personal information is compromised.
When customers lose faith and take their business elsewhere, there can be serious implications for a company’s bottom line. Given all this, what can businesses do to protect themselves? Here are a few strategies to consider.
Stay Informed on Consumer Privacy Legislation
Over the last decade, data protection laws and regulations have evolved to deter criminals and compel businesses to improve their security and privacy efforts. Spending time understanding the current regulatory landscape is critical to not only meet existing requirements, but also prepare for what’s on the horizon.
Historically, the United States has taken a sectoral approach to consumer privacy and data protection legislation with laws such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and Gramm-Leach-Bliley Act (GLBA) for financial services, and the Family Educational Rights and Privacy Act (FERPA) for education. To provide protection for all consumers, several states, including California, Colorado, and Virginia, have passed comprehensive data privacy legislation that governs how companies must safeguard consumers’ personal information and preserve an individual’s privacy.
Globally, many countries already have wide-reaching privacy legislation, including Canada, the UK, and the European Union. If a company operates internationally, it should be cognizant of these requirements as well, as countries continue to pass new or update existing legislation with regularity.
Develop Comprehensive Data Protection Strategies that Cover All Data
The first step in creating a complete data security plan is to know what types of data the company collects, where it is stored, and with whom and how it is shared. Next, the business should determine the potential risks to that data and whether the information resides in electronic or physical form (or both).
Risks to electronic data include compromise or loss due to malware, phishing, theft, or human error. Physical risks can be similar and result from theft of paper documents or equipment that houses confidential information, such as laptops, external storage media, cell phones, etc. Once a company knows what kinds of data it has and the risks that threaten that data, it can determine the appropriate combination of safeguards and controls.
To protect physical data, businesses should consider utilizing a document destruction service at regular intervals to pick up and securely destroy confidential information that is no longer needed. Similarly, it may want to employ a process for collecting and destroying legacy hard drives or laptops that are not in use.
To protect electronic data, the company will need a strong cybersecurity program that covers technology, business processes, and, of course, the people that use them. To that end, it’s important to supplement training with practice, such as phishing simulations, which help employees to better recognize threats and build “muscle memory” for avoiding and reporting them. Today’s data thieves are far more sophisticated and are constantly evolving. For this reason, it’s essential to ensure all employees fully understand their roles and responsibilities for protecting the company’s data assets.
Ensure Employees Keep Data Safe Wherever They Are
Given the current hybrid work environment, it is particularly important to ensure staff have access to the tools they need to maintain data security when they are working remotely — whether that’s in a home office or public setting. Implementing data protection strategies such a requiring the use of virtual private networks (VPNs) and multi-factor authentication can reduce the risk of compromise or theft, no matter where an employee logs in. From a physical security perspective, consider training employees that work remotely to securely store documents in a locked cabinet or other secure location until they can bring them back to the office to be placed in secure bins to be destroyed.
Data security is a key element in customer retention, and businesses should take a multifaceted approach to safeguard information. By paying attention to both physical and digital risks and implementing strategies to reduce them, a company can avoid costly breaches that could have ramifications for years to come.