5 Keys To Customer Data Security by #iTHiNKLabs' David Lee Djangmah
▼Extended Edition of Authority Magazine Interview▼
5 Keys To Customer Data Security (Original Interview) ⬆ Images Hyperlinked
MISCELLANEOUS WRITINGS | 2021 EDITION | VOLUME 24
I want to acknowledge and thank Jason Remillard, President of Data443 Risk Mitigation, Inc. for a great interview. Click or tap feature image above for the original.
At a time when rampant data sharing shows that website managers lack control and visibility, more responsible, privacy-focused Quad9 is putting its money where its mouth is and differentiating itself by relocating “to Zurich, Switzerland to subject itself to stricter privacy laws”.
All in the interest of global users who demand genuine customer data privacy and security.
So, let's dive into this unfiltered, streamlined yet detailed, hypertext and image-enriched edition of my recent interview:
5 Things Every Business Should Know About Storing & Protecting Their Customers’ Data
Data is so fragile an asset that smart and lean businesses focus on deletion. Not hoarding. (Click or tap above for explanation)
When it comes to data protection, everybody is your customer. From prospects (candidates, applicants, etc.) to clients or customers, to your employees, supply chain, third-party risk, mobile and social media security risks. And your obligation to be a responsible steward of data is as ethical as it is legal.
This, in the first instance, addresses the interview question:
Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc., about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers' and clients' private information?
And when you click or tap above, you understand and reconcile my argument with the fact that even “97% of Cybersecurity Companies Have Leaked Data on the Dark Web.” Which leaves you with a choice and decision to make.
I expatiate on all that further down. But understand:
Effective data protection is first and foremost, counterintuitively, an HR function.
Many companies attempt, but fail at being data-driven because they have, in the second instance, weak data risk management. Yet, if you want to strike the smart and right balance, HR itself must, in the first instance, get hiring right by intelligently handling data. For example, using AI to solve certain problems only human emotional intelligence currently excels at solving is one increasingly common strategic and costly mistake. Meanwhile, you know you're nailing it when you find yourself hiring and retaining risk mature professionals, across the board.
Hiring risk mature professionals across the board should be ingrained in HR ethos the way strategic thinking and risk mitigation is, expert China expats will attest is, in Mainland Chinese culture, — in this case, as a means of organically building a risk mature business culture complete with human firewalls. See, generally:
This, for example, is how President Joe Biden avoided the fate of Hillary Clinton in 2016: His campaign hired similarly paranoid cybersecurity expert and professional, Jackie Singh to protect Candidate Biden's data.
For those who aren't already my Twitter followers or avid #iTHiNKLabs Weekly readers confused by any or some of the terms used herein, see generally:
The 'convenience' and 'functionality' argument only worsen data greed, data monopoly and data dictatorship.
...all of which is nefarious, unethical, or illegal, — even when it is an autocratic government abusing data in a tech dystopia.
Do better. Understand the limits of both tech and security tools. Don't hoard.
Whether one is talking about HR or business data greed, China's Digital Dystopian Dictatorship, or “Data Dictatorships and the Fall of Liberal Democracy: A Global System Ruled by Whoever Controls Data” (click or tap image above), proof that compliance doesn’t prevent data breach is well-publicized.
The ‘convenience’ and ‘functionality’ argument only worsen data greed, data monopoly and data dictatorship as addressed in Brain-Dead Hiring Practices To Ditch (image) by organizations with nonexistent, elementary, or poorly thought-out and executed IT security who think simply saying they ‘take security seriously’ gets the job done. As well as by autocratic regimes and similarly bad actors.
Yet assuming risk intelligence because you can blab, doesn’t equal data security. And the reason I am pessimistic is because unlike the Mainland Chinese, in the West today, HR is broken, sales KPI-driven, as distracted as everybody else; undervalues genuine diversity, and rewards short-term pragmatism.
This explains why instead of building robust risk mature culture against insider threats, APTs, and even teens like Graham Ivan Clark (below) whose recent hack embarrassed Twitter, U.S. businesses continue to be exposed to the same broken business/HR culture that facilitates theft and breach of customer data at an increasingly alarming scale.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Well, “destroyed at a certain point” means, no longer than a month, if at all. Which is why I’m known for disrupting HR pros (in the U.S. in particular) who are stuck on archaic data greed. As well as websites that burden users unlikely to return to their platforms — or in the case of LinkedIn and other notorious victims breached several times — with conventional thinking having nothing to do with compliance.
Meanwhile, data breaches and leaks aside, there's far too many malicious activities on LinkedIn for either the company itself or clueless hiring managers and recruiters to be forcing demands (like, silly “LinkedIn Mandatory” job ads) on candidates. Demands that only potentially, further jeopardize their data privacy and security. And don't even get me started on HR industry's AI fails.
#iTHiNKLabs Weekly and my Twitter are by far the smart person's companion to seeing around corners in terms of best practices. But in addition to the foregoing, other compelling reasons to more than comply and take customer data security seriously, includes:
Fundamentals, baby. Fundamentals. Respect them, or needlessly suffer a breach by leaving attack vectors and your attack surface wide open.
Highly effective best practices abound. But you won't very get far with them if your culture doesn't value security fundamentals. Take ransomware for example.
As in boxing or COVID-19, the biggest mistake businesses make is neglect anti-ransomware and cybersecurity fundamentals, and live in a bubble where "others" are the prime targets. Not them. That's why Mike Tyson, Deontay Wilder, Anthony Joshua — as opposed to defensive boxing icon Floyd Mayweather Jr. — suffered some of the sport's greatest upsets.
This is where the counterintuitive HR argument I made earlier comes in. For, suffice it to say, you can't teach what you don't know. So, before training fails, leading to preventable breaches or data leaks, HR fails by cutting corners and/or practicing all the brain-dead practices addressed above.
Further (post-interview UPDATE), click or tap image below to see my response to the BBC Business article CEO Secrets: 'My billion pound company has no HR department' — about an entrepreneur who is proud of having neither an HR nor IT Department. And while I get the “No HR, no problem” sentiment, and Twitter user Liam disputes his claim, this is not 1995. Such myopia is just not sustainable in the 2021 threatscape.
The list below is limited, mind you:
In the face of this changing landscape, how has your data retention policy evolved over the years?
Anything that doesn’t need to be kept, goes. It’s that simple. Because, no one is 100% immune from hacking, or data security lapses. Not even top cybersecurity companies, government agencies or the best InfoSec minds.
Further to the above — and the devil is in the details — reduction of both attack surface and attack vectors to the point where it is pointless to be targeted, apart from the fact that there isn't much to hit or steal anyway, is the obsession more so than policy, that continue to dominate my approach.
Followers or readers of #iTHiNKLabs understand more than others that proactive security is the name of game. That, and staying ahead of trends.
For example, Gartner Research which follows me, predicted years ago (2017 or so) that “by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” And we’re already seeing that.
Hence, the Six Ways to Secure APIs is a bare minimum in that evolution, if/when data retention is a must.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
The same way world-class VPN companies that are data privacy advocates practice “no-log policy.”
Unlike Jeff Bezos and Amazon (click/tap), I take the approach that even where “you can take a punch”, it is reckless to be needlessly exposed.
Think defensive Boxing legend, Floyd Mayweather Jr.
That is why #iTHiNKLabs Episode 142 (click or tap below) is only the most recent among a million or more times and places where I shamelessly advocate cash over credit, with data evidence to backup my advice.
See the double featured No. 8: Shoppers: Do Cash — Credit Card Stealers Lurk INSIDE Social Media Buttons + eCommerce Security. I don’t do specific. I do holistic. As the list(s) shared here show.
So, while the enumerated policies and best-practices above and below validate, and in some cases, inform my data retention policy, in practice, we are talking about extremely lean data stinginess, — as an obsession more so than policy. Because data retention policies can be easily circumvented through sophisticated scams, social engineering and business email compromise, all of which my Twitter as well as the fundamentals above, cover(s).
As a big-picture problem solver, I founded Cool AutoSec — shield cage, RFID signal blocking, mobile phone data security/privacy, car key fob protection, and anti-hacking & anti-tracking Faraday products — and left sales to my former Chinese mentee.
The same rational explains why I opt for ‘rented space’ and keep my personal blog and code nimble and local, rather than bear the burden of maintaining a dedicated, secure website.
Again, “destroyed at a certain point” means, no longer than a month. If at all.
It is not personal. Just simply dumb to stubbornly think you can protect data and clamor for PII using punishing red asterisked fields that prevent applicants from clicking Next unless they fill them.
One UK security agency inviting foreigners to apply requires a National Insurance Number (equivalent to the U.S. SSN) before clicking Next. Effectively killing applications from HiPos long before data retention is even an issue, — just because both HR and the IT expertise they relied on, lacked foresight, risk maturity, and/or was thorough and competent enough to raise the issue.
Yes, even as a consultant.
A rather daft way to bleed talent while going online (as HR pros often do) to lament the self-inflicted talent crunch or cyber skills gap as an issue.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Not particularly, so long as one is talking about the West.
Precisely because of the strategic, holistic readiness posture I bring to business, despite my training as a lawyer.
In China's case, suffice it to say, businesses and leaders who don’t hire me, read #iTHiNKlabs, or follow me have been, and often are caught with their pants down, because there’s a lot to worry about and be prepared for, on an almost daily basis.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Not for free, I must say, as a consultant.
The only tools I publicly recommend, often after testing, discreetly feature in #iTHiNKLabs Weekly episodes. However, as a tech minimalist, I’d emphasize 3 counterintuitive cautions underpinning grey zone risk maturity and your business:
① Check your emotional attachment to tech as the answer to all security problems. It is not. Ask the Taliban, or data breach victims — from organizations with deep pockets to the world's richest.
② Never be swayed by the wrong-headed assumption that security should be limited to data, network and systems. Or, that you are to avoid politics, etc. Nothing could be less naïve. Before COVID-19 morphed into a remote work security challenge for businesses, it was dismissed and trivialized in the West as some political or at best, health security threat having nothing to do with tech and far away in China.
③ It’s not tools, but people’s risk maturity we should invest in.
Risk maturity is what the Taliban, Chinese, and Russians bring to reactive, short-term pragmatism-driven scatterbrain cultures like the United States where businesses often don't care about being threat smart let alone how their organizations are frontlines in grey zone warfare until after they've been breached.
True risk maturity is based on tactical human creativity — as a weapon, not just a means to driving profitability — which intuitively understands the limits of technology and always seeks to leverage it. Responsible business leaders, take note. (Click or tap image)
That is why I wrote: How To Mitigate Strategic Deception and Why Strategy Execution is the Ultimate IQ. Works that singularly, even without #iTHiNKLabs, accurately predicted and explain the mayhem seen before, throughout, and at the end of the Trump Administration, — Insurrection and all.
Also, why Forbes, knowingly or not, published: Why China Consistently Takes Cocky U.S. Tech Companies To School.
U.S. businesses need more risk maturity than (mature) multi-billion dollar IT security systems and tools that do nothing to avoid America’s increasing intelligence failures. And Kevin Mitnick agrees.
For consultation, contact me here. Or, feel free to follow and engage here.
○ ○ ○
⬆ Protect Your Customers' Data by Understanding This Stuff ⬆
Proceed
Breakthrough Ideas for January 2021
PEACE
TT
F I N I S
Comments
Post a Comment