Data is big! Big data is even bigger! Organisations across the world collect a lot of it: customer data, employee data, supplier data, competitor data. Organisations collect customer data in order to gain advantage over their commercial rivals. They use it to learn how customers spend money: which products they are likely to buy based on their spending habits, demographics, location, politics, what they eat and drink and who they socialise with. This information is powerful: it fuels the engine behind targeted advertising to accelerate sales.
Furthermore, organisations collect other data during the course of a transaction, such as credit or debit card numbers, bank account details, dates of birth, residential addresses, email addresses and security numbers. Obviously, the customer usually trusts the company to keep this data safe.
Although there are laws in many countries that are designed to protect the rights of customers to manage their online data, in reality, legislation can only go so far. Companies that fall foul of the law may receive heavy financial penalties and individuals within the organisation may face hefty fines or custodial sentences. Yet, a glance at news headlines over the past couple of years, suggests that customer data is being leaked to nefarious groups time and time again. But the disproportionally low frequency of headlines in relation to punishment meted out to organisations for data breaches suggests that legislation is not effective in keeping customer data safe.
It seems the overriding motive for organisations with regard security is to satisfy auditors that they have procedures and processes in place to meet specific regulatory requirements. They are not motivated by security itself.
It is my opinion that, irrespective of legislation, everyone in the organisation has the moral obligation to secure customer data. Organisations are custodians of valuable information, not only of value to the organisation, but also to criminal gangs who use the data to make financial or political gain at the expense of those unsuspecting customers. It can be argued that customers do not understand the real value of their own data and share it willingly with legitimate organisations. As such, the onus sits squarely with the companies who collect this data, and that means it sits with everyone working in that company. Engineers must put security first when engineering their products and services, product owners must consider security features as important as sales generation features, and testers must make security a core component of their test suites.
Each time a security breach occurs, and customer data is leaked, more victims are created. The crimes committed can often be life-changing for their victims: huge financial losses, public humiliation or false accusations are common consequences. Yet, until organisations shift accountability to those responsible for delivering insecure software that exposes customer data, the rise in data breaches will continue unabated. Ultimately, if your organisation manages customer information, everyone within that organisation has a moral duty to protect customer data and put security at the heart of its business.
In summary, a cultural shift is required to embed security into the fabric of an organisation. This includes a security education programme, security-feature-first approach to product design and a process in place to validate the security of the organisation and the data it holds.