“Trust is earned when actions meet words.” — Chris Butler
The quote above encapsulates the definition of trust — walking the walk after talking the talk. When it comes to the business world, brand reputation is built on earned trust and perceived integrity. For a business to succeed, trust must be built internally with employees and externally with customers, partners, vendors, and the community.
In today’s digital business world, a large component of trustworthiness depends on business processes and data governance. With the massive amount of sensitive data and personally identifiable information (PII) that businesses of every size collect daily, customers and employees have to trust that organisations are acting responsibly with their information. And it can impact the bottom line:
– 65% of data breach victims lost trust in an organisation due to the breach
– 80% of consumers will move to a competitor if they don’t trust an organisation is handling their data responsibly
So how does a business go about defining and measuring something as seemingly intangible as “trust?” The American Institute of Certified Public Accountants (AICPA) developed the 5 Trust Services Criteria (formerly Principles). They are meant to be used in SOC 2 certifications and compliance audits, but provide a great framework to apply to any business interested in assessing and improving their trust levels.
Below, we dive into how these five trust principles can be used to help improve your cybersecurity stance.
The AICPA defines security to mean that “information and systems are protected against unauthorised access and disclosure.” This requires a proactive stance — you’ve got to take action and put safeguards in place to defend your systems and data from being accessed by the wrong people.
To provide comprehensive coverage against a variety of attack vectors, cybersecurity experts recommend a layered approach that stacks solutions such as endpoint security, email and anti-phishing security, network security, mobile security, and end user security training.
A crucial component of cybersecurity is identity protection and access management to allow the right people in and keep the wrong people out of your systems, apps, and data. This includes:
– Enforcing strong password policies
– Providing a password management tool to help employees comply with password policies
– Enabling multifactor authentication
– Applying conditional access rules
Confidentiality is about protecting information. Ensuring confidentiality across an organisation requires appropriate data governance, so that only the right people have access to the level of information that they require. However, one survey found that 48% of businesses allow employees to access more data than necessary and 12% allow employees to access all company data! Do you know how much access to company data your employees have?
By using a “least privilege” model of data governance, you can ensure that people in your organisation only have access to the lowest level of information they need to do their job — thus reducing the chance of sensitive or proprietary information being leaked. This requires data classification policies that restrict access based on classification level. Common classification levels used within businesses are “public,” “internal,” “sensitive,” “proprietary,” “highly confidential,” and “restricted.” Keep it simple and don’t make too many classification categories or else you risk confusing employees, leading to wrongly classified documents.
Email and file encryption is another important element of confidentiality to ensure that only the intended receiver can read the information. Encryption protects data in transit to ensure it cannot be intercepted and read.
Confidentiality and privacy are closely related and can almost seem like synonyms, but there are nuances. Confidentiality is focused on protecting information, while privacy is about protecting identities.
In the digital age, data that can be used to find, locate, or identify someone is called personally identifiable information (PII). This includes information such as:
– Full legal name
– Social Security number (US)
– National Insurance number (UK)
– Driver’s license or passport number
– Bank account number
– Home address
– Email address
– Biometric information
– Information such as place of birth, date of birth, and mother’s maiden name
PII is a valuable target for attackers during a data breach. And in a world where consumers must set up online accounts to do business with most organisations, personal data is constantly at risk. In fact, 155.8 million individuals in the US were affected by a data exposure in 2020 and 70% of Americans say their personal data is less secure now than it was five years ago.
To protect consumers, legislation has begun to catch up through regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA) in the US, and the General Data Protection Regulation (GDPR) in Europe. Companies must ensure that they are complying with all relevant regulations for their location and industry or else face fines, penalties, and even legal action.
Data loss prevention solutions use policy templates and classification labels to identify sensitive information and prevent it from leaving the organisation or being shared with the wrong people. For example, you could create a policy to identify Social Security number formats which would flag any numbers structured as XXX-XX-XXXX from being forwarded, printed, or viewed in documents or emails
Availability, according to the AICPA, means that “information and systems are available for operation.” When assessing availability, take a moment to think about these questions:
– Are your systems able to run at capacity?
– Are you backing up data to the cloud to ensure access in the case of a system failure?
– Do you have business continuity and disaster recovery solutions in place to ensure your business can continue mission-critical operations in the face of a disruption, such as natural disasters, power outages, or cyberattacks?
– Do you have an emergency communications plan?
– Do you regularly test your disaster response plans?
5. Processing Integrity
The AICPA defines process integrity as making sure that “system processing is complete, valid, accurate, timely, and authorised to meet the entity’s objectives.” This includes accurate data processing and storage from end-to-end. Do the outputs of your systems align with the inputs? If you have processing errors, do you address them in a timely way? How do you store, backup, and archive data?
Correct processing means that your organisation is operating in the way it intends to, and is providing the services it agrees to provide at the level it agrees to provide them. This is hugely important to your brand reputation — if customers don’t receive the service or product they expect, they will no longer trust your business.