Centrify has released the finding of its 2016 Consumer Trust research study. There are some surprises in the data and some warnings to companies. One of the biggest surprises is that over half the respondents said they first heard of a hack over the news and social media. The younger the respondent the more common the latter is.
There is a challenge here for companies. Most would prefer to contact regulators first, customers second and then the media after that. The problem here is that customers, once informed of a breach, are likely to blast the data via social media. This is then the start of a press feeding frenzy which can quickly get out of hand. The Talk Talk breaches over the last few years have shown how quickly a company can lose control of the message. Once the hack hits social media this provides an opportunity for cybercriminals to also attack customers.
Unsurprisingly, once a company is attacked it will lose customers. In Germany 57% would stop doing business with a company. This rises to 66% in the US and 75% in the UK. These are not just customers panicking. The more tech savvy the customer and especially those who shop a lot online, the more they are likely to move business elsewhere. Most companies factor in the loss of business to their incident response plans. They will act quickly to offer discounts and other assistance to customers in order to keep them onside. The numbers here, however, are larger than most companies would expect.
Which businesses do customers trust
Customers believe that the responsibility for protecting data lies with those who have gathered it. Financial institutions, medical and health companies top the trust list. Retail and travel sites fared badly while at the bottom were those involved in membership and hospitality businesses. What is interesting is that respondents said they were most worried about health and financial data. Companies at the top and the bottom hold this type of data. Retailers want a cashless society as it reduces the risk of theft by staff and lowers their costs. Despite this retailers are regularly the subject of hacking scams around the Point of Sale (PoS) systems.
Health clubs hold financial and medical data on customers. Most health clubs are required by law to do a medical interview with customers before they start them on a fitness program. While this doesn’t hold very detailed data it does have information about current health issues and information about doctors. For a hacker this information is the gateway to gaining access to other medical data.
Membership organisations hold a lot of other interesting data about individuals. Their interests, likes, dislikes and purchasing history for goods sold by the organisation are just some of that data. They also tend to hold a lot of personal data which is gathered in the form of constant surveys of their members. While they are beginning to do more in terms of encrypting that data they often need better advice, rather than abuse for being lazy.
The big stick is coming
Given the lack of trust evident from this survey it is surprising that regulators are not doing more. European General Data Protection Regulation (GDPR) comes into force inside the next 18 months. When that happens the level of fines for losing personal data increases massively. Although regulators will need to enforce it.
Irrespective of Brexit, the UK is going to adopt this regulation and it is a good thing. It will require companies to protect data or, in some case, cease trading. Add this survey to that legislation and those companies at the bottom of the list need to do much more.
Customers must take more responsibility
The report discloses what most people already know and that is passwords are the biggest weakness. Even when asked to change their passwords less than 66% actually did so. In the US that number drops to 53%. The majority of users don’t change passwords on other sites which means that password reuse leaves them open to multiple attacks. The biggest issue here is that users don’t see the benefits of multi-factor authentication. When given the option to use it less than 10% in the UK and Germany and only 15% in the US implemented it. This is shocking and shows that businesses are failing to explain the benefits while customers just do not get it.
Andy Heather, Vice President and Managing Director EMEA at Centrify, commented: “People can no longer afford to put their data at risk. To protect themselves and their personal information, they need to improve their password hygiene and follow simple precautionary steps, such as monitoring their online accounts and frequently changing their passwords. They should also look to organisations, including retailers and banks, to offer additional or next-level security such as multi-factor authentication (MFA) or biometrics as part of their own security processes and do business with them.”
This is an interesting survey although a wider set of participants would have given a more balanced picture. There were just 800 per country with only the UK, US and Germany involved. It is interesting that the loss of family data rather than financial and medical records worries people more. That family data is often used as the basis of many security challenge response systems. Hackers can also use it to build a better profile of an individual allowing them to move from bank theft to identity theft. This is a much more insidious and far reaching attack that impacts users for years.
Perhaps the biggest surprise is that customers still shun multi-factor authentication. How long before compensation from companies reflects the fact that their customers poor security is part of the problem.