Q&A with Alan Edwards, Integralis

In RANT ByTeam Acumin / 22nd May 2013

Integralis recently released the results of a survey into online data protection and trust. What was the key takeaway figure from that research? (http://integralis.com/en/about-integralis/integralis-in-the-news/nid-00241/one-in-four-customers-admit-they-do-not-trust-companies-to-secure-their-personal-information-online/)
If you look at organisations today, many will have implemented a security strategy based on perimeter defence. The principal is simple, build a wall high enough to keep the bad guys out, and control the resources (people, processes and technology) that operate inside the firewall (perimeter).

However, many businesses have consumers who are connected to them in order to do business, which calls into question the original idea of the ‘perimeter’ or at least raises the question of where the perimeter now is. If I’m connected to my bank I am part of their network, and unknowingly have as much potential to introduce risks onto the bank network as one of their employees. My interaction with the bank could, inadvertently, create a problem for the bank in the same way that an employee could.

Maybe it’s time for organisations to consider the fact that the perimeter has gone and to treat customers who connect to them in the same way as they treat their staff, in terms of education  and making them  aware of the risks.

Banks seemed to do well in terms of trust online, with 63% of respondents trusting their bank with online transactions. Why do you think that is?
Despite what has happened recently, banks have historically been trusted and, in an online sense, banks do better at educating their customers. In my experience banks lead the way in communicating with customers in terms of which attacks they may be vulnerable to. They are also good at educating customers in what they can do to protect themselves, which in turn helps protect the bank from risks borne by online users.

Banks have also been proactive in terms of security measures like two factor authentication. That seems to be a conscious decision from the banks, who see their customers are part of their network and are therefore extending this level of authentication to them too.

Social networks came out bottom in terms of trust online – but that lack of trust doesn’t seem to stop people from using them.
Social networks top the overall usage charts, but rank bottom in terms of trust. It seems that in the online world people behave totally differently, and convenience overweighs any risks.

Turning to the RANT conference – these stats should worry attendees, if the vast majority of people simply don’t trust online businesses with their data.
The message to attendees is about how you start to bring trust into your risk or information security strategy. If the focus is just on the perimeter and not on the access consumers have to the network, then it is likely that your data is at greater risk, and that your users don’t trust you as much as you perhaps would like.

What is the message Integralis wants to deliver to the event?
The title of the discussion we’re running is ‘In banks we trust and in trust we bank’. Our message to CISOs is to start considering your customers as part of your network, and educate them and provide the tools to protect themselves just as you would with staff. In this way not only will your business be more secure, but your customers may even start to invest their trust – which must be worthwhile.