How CIOs Deal With Customer Privacy Issues
Â
Imagine going out with friends on a Friday night. You’ve gotten yourself ready. You’ve collaborated with each other to pick the perfect spot to eat. The destination, however, only accepts cash. While this isn’t a big deal, all you need to do is stop by an ATM and extract some money. It’s payday, so you have plenty of money. You pull up to a local bank, hop out, and enter your information within the ATM. However, the screen says something about insufficient funds. You try again, because obviously this is an error. But, the screen details the same exact error. After calling your bank you realize, your information has been stolen.
Customer privacy issues have been an issue as long as data has been obtained and stored. This threat has since been amplified with the domestication and ease of access the internet has instilled in each home since the late 90’s. Since data is obtained in great detail, more easily, and faster than ever before, companies have went to great lengths to protect personal information from those that wish to steal it. Because of this CIOs have been tasked to provide insight and to help mitigate actual theft of information. CIOs have mainly concluded there are 4 main areas that need to be addressed when dealing with privacy issues. These areas include, but are by no means limited to, encrypting to protect information from being easily viewed and distributed, spending to protect and upgrade current protection systems because most of the current infrastructure isn’t up-to-date and spending lags behind how much money can potentially be lost, guarding against self-inflicted breaches meaning ensuring your company has plans in place to train employees and keep information private, and ensuring company policies are in place so there is understanding on what is considered protected and how to keep protected data from being stolen. We will cover these facts in detail below in an attempt to derive the problems CIOs encounter the most when dealing with privacy.
Encryption is probably the first step a CIO should take when trying to protect privacy. Encryption can deter and defend against theft and distribution due to the difficulty of trying to decrypt information. Encryption is basically changing information into a codified structure to prevent theft. This is similar to binary code showing up on an operating system as words, but rather in reverse. Words are made into code, but the code can be chosen by the person who is encrypting. This is an important part of a CIO’s job because encryption plays a vital role in the security assurance of IT systems and communications as they can provide not only confidentiality, but also provide authentication, data integrity, and non-repudiation (sender cannot deny sending the information). (Rouse, 2014)
Second is spending to protect and upgrade current protection systems. Fun fact, “The cost of a cyberattack for the average hospital is $3.5 million, but according to a HIMSS survey, 46 percent of hospitals spend less than $500,000 annually on cybersecurity.” (Green & Jayanthi, 2016) This is a huge concern. So how should a CIO correct this issue? It hinges on selling to your superiors that the cost of protecting stored information is more valuable than the potential losses. The above stat is just from one successful attack, and most sites endure multiple attacks a year. By providing information on money lost versus money spent, a CIO should be able to make tremendous strides on information protection strategies and systems.
Next is guarding against self-inflicted breaches of security. This can take shape in many formats. Be it ignorance, accidental, or completely intended, this may be the biggest threat a CIO faces. To guard against ignorance and accidental releases employees must be trained through formal training channels. Training should include initial and refresher training throughout the employee’s time with the company. Then, to correct the completely intended, “Identify all privileged accounts and credentials [and] immediately terminate those that are no longer in use,” then, “closely monitor, control and manage privileged credentials to prevent exploitation.” (Schiff, 2015) Lastly, indicators or alarms should be employed to notify CIOs and their staff when the possibility of a potential release or theft has occurred. This may prevent information being disseminated by alerting the right people, and being able to curb any unintended release of information before leaving the facility or hitting the internet.
Finally, CIOs must ensure company policies are in place to prevent releases of information and keep employees informed.  The programs that are established within a company will directly affect how employees put practices into place. If a company’s policies are weak, so too will be their practices. The opposite is also true. Companies who have strong policies in place probably house employees who adhere to the correct way of doing business. When consumers are surveyed, “80 percent say they are more likely to purchase from consumer product companies that they believe protect their personal information. Furthermore, 70 percent of consumers would be more likely to buy from a consumer product company that was verified by a third party as having the highest standards of data privacy and security.” (Conroy, Narula, Milano, & Singhal, 2014) This speaks volumes to ensuring strong policies are in place so a CIO’s company can compete at a higher level in their given industry.
As you can see, CIO’s have varying responsibilities in regards to keeping customer information private and out of range of those that wish to steal it. The first responsibility is encrypting to protect information from being easily viewed and distributed. The next is spending to protect and upgrade current protection systems, because most of the current infrastructure isn’t up-to-date and spending is far behind. The third, guarding against self-inflicted breaches to keep consumers safe and keep their business as secure as possible internally. Lastly, ensuring company policies are in place so there is understanding on what is considered protected and how to keep protected data from being stolen. While these four things aren’t all inclusive, they are the basis from which CIO’s can keep customer privacy from being illegally taken. After all, do you really think a CIO wants their customer’s to be in the situation that was illustrated at the beginning of this paper? If CIOs use these foundational principles that example shouldn’t take place, or be derived from their respective businesses.
REFERENCES:
Rouse, M. (2014). What Is Encryption? Retrieved February 18, 2017, from
Green, M., & Jayanthi, A. (2016, January 21). 8 CIO concerns for 2016. Retrieved February 18, 2017, from
Schiff, J. L. (2015, January 20). 6 Biggest Business Security Risks and How You Can Fight Back. Retrieved February 18, 2017, from
Conroy, P., Narula, A., Milano, F., & Singhal, R. (2014, November 13). Building consumer trust. Retrieved February 18, 2017, from https://dupress.deloitte.com/dup-us-en/topics/risk-management/consumer-data-privacy-strategies.html