This month news broke that Coast Capital Savings credit union members had their accounts compromised and money stolen in a targeted cyber fraud attack. Not only were hundreds of thousands of dollars lost, but consumer trust in the financial institution too.
However, the attack was not breach or a hack in the traditional sense, as it was not the result of unauthorized access of the credit union’s systems. Instead, cyber criminals were able to gain access to member accounts through email/SMS phishing schemes and via brute force attack, an automated software trial-and-error method used to obtain user passwords, PINs, or other forms of desired data.
This event begs the question, is a corporation responsible for a lack of customer and client diligence when it comes to passwords and other methods of securing their own accounts?
This argument certainly falls under the umbrella of corporate social responsibility (CSR). By definition, CSR represents a company’s commitment to manage the social, environmental and economic effects of its operations responsibly and in line with public expectations. CSR is typically associated with environmental and social initiatives, but it absolutely applies to today’s topic. How, exactly?
Let’s return to the Coast Capital Savings attack. While the victims who fell prey to phishing tactics understand their role in giving up access to their accounts to cyber criminals, they also believe that the financial institution was negligent in safeguarding member accounts, citing a lack of security questions and allowance of weak passwords. The latter bears further question, as again, should the onus fall on the institution to ensure members followed password management best practices?
Most, would say yes. After all, isn’t greater corporate responsibility in regards to public data protection what the recent GDPR and PIPEDA compliance updates are all about?
While you must continue to do all that you can to secure sensitive company data, it can only help you to become more transparent with your customers/clients too, letting them know how they can play an integral role in the protection of their own information.
What Your Business Can Do to Improve Corporate Social Responsibility as it Applies to Customer and Client Data Protection
1. Educate Your Customers/Clients on Security
You’ve invested significant time, effort, and expense training your staff on internal cyber security as a means to protect company data and IT systems. However, have you afforded your customers or clients the same level of education? If you’re like most businesses, probably not. We know it’s not realistic to match consumers with the security protocol initiatives that you’ve instituted in-house, but you can be proactive in communicating these matters to them.
a) Password Management
Beyond tightening up the gateways to their own accounts with non-SMS (not secure) two-factor (TFA) and multi-factor (MFA) authentication, you can share information about how to generate more secure passwords. Reference Fully Managed’s guide to better personal password management and re-package it (as a white paper, etc.) for consumer delivery.
b) Phishing Prevention
You’d think that phishing schemes would no longer be as successful as they are, with so much public education about avoiding suspicious links and to not respond to unsolicited emails requesting sensitive information. But in the end, if the higher-ups of the Democratic National Committee fell for it so can your customers. That is why you must bear a part of the burden in phishing prevention, by educating your customers/clients directly. In the same manner that you should assist them in password management, create information packages about how they can avoid falling victim to phishing schemes that want access to their accounts with you. Reference Fully Managed’s guide to phishing prevention and re-package it for consumer delivery.
In the past, businesses have been afraid to communicate risk to their customers/clients, but here in 2019 consumers understand that no one (your business included) is removed from this risk. In the end, they will appreciate the fact that you’re educating them on how to better protect the accounts they hold with you.
2. Be More Proactive in Compliance
The GDPR and PIPEDA compliance updates of 2018 certainly caused a stir, but apparently not enough. A recent survey from the International Association of Privacy Professionals (IAPP) found that approximately half of businesses are not GDPR complaint. Given that GDPR landed in April 2018, while the PIPEDA update came in November of the same year, you can only imagine the number of businesses not yet observing the new law set by the Privacy Commissioner of Canada.
Consider appointing an internal Privacy Officer to help facilitate ongoing compliance, and let them lead the way in training staff on mandates. However, before you do anything, bring in an IT support firm, with experience in ensuring corporate compliance with national and international privacy law, and have them set a schedule of quarterly, semi-annual, or annual audits of your information collection and storage practices.
Once you have received an audit and established adherence to GDPR, PIPEDA and other international legislation (as applicable) you can disclose this in your marketing materials to increase consumer confidence. It’s a win-win!
In adopting corporate social responsibility (CSR) as it applies to consumer data protection you will not only help prevent attacks that compromise your customer/client data, you
gain a competitive advantage. Begin your data-driven CSR campaign with a security audit of your IT systems.
Contact Fully Managed today.