Five Security And Privacy Measures That Software Companies Can Take Now

Post written by

Vijay Sundaram

Chief Strategy Officer at Zoho Corporation overseeing strategy, channels, and various marketing and operational efforts.

The widely publicized Equifax data breach of 2017 should have been a wake-up call for companies around the world to increase security measures. Two years later, in July 2019, Equifax offered a settlement agreement of up to $700 million in response to a nationwide consumer class-action lawsuit. One day after this settlement was announced, the FTC pushed Facebook to submit a review — every quarter — of the "privacy of every new product or service it develops." This was on the back of a $5 billion fine imposed by the FTC and on top of a separate fine from the SEC of $100 million. Public patience with lax security and privacy of their personal information seems to have worn thin, and businesses will need to put this right on the top of their stack of priorities. It is now a matter of business survival.

There is so much noise in the media about data breaches and other compromises that it can be hard for businesses, consumers and the general public to understand their exposure and identify credible threats. They are likely going to place this responsibility squarely on their service providers and could both litigate and take their business elsewhere if their providers do not measure up. It’s only a matter of time before another Equifax happens, and small companies will be just as vulnerable as the larger ones.

While new privacy laws are being reviewed and implemented — including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the recently proposed Data Care Act introduced in the U.S. Senate — they could become just table stakes for corporate compliance. Companies may be expected to do more — refine their business models and practices and go beyond offering mere compliance with these standards.   

As chief strategy officer at a cloud software company, I would like to share some approaches and recommendations we've considered that all software companies can undertake to address the urgent demands from their customers around security and privacy.  

Deploy Your Own Security Hackers  

Many businesses have some form of internal cybersecurity team. In software, a typical vendor will employ two teams — red and blue — that will perform regular penetration tests and create security solutions, respectively. These teams will have a lot of independence and will be removed from the traditional chains of command to ensure their autonomy and authority. Such teams are often necessary to protect customer data, but businesses should not rely solely on internal teams to ensure customer privacy and security.

One strong additional step for businesses is to hire an outside white hat hacker or hacking team to uncover weaknesses. Companies can also host private or public "bug bounty" competitions where hackers are rewarded for detecting vulnerabilities, and the companies receive third-party insight into the strength of their data security.

Build Trust Through Certificates Of Compliance

The finance and healthcare industries both have extensive compliance requirements; software companies have less stringent ones. If you want to protect your company's reputation as one that offers solid customer privacy and security, take the step to secure certificates of compliance. The baseline certification is the ISO 27001, which represents the information security standard. When you have this certification, you can help demonstrate that your company follows security best practices and conducts assessments to determine that data is adequately protected. If your company offers cloud services, consider securing a SOC 2 Type II certificate of compliance. This requires companies to establish and follow strict security policies and procedures regarding customer data.  

Limit The Customer Data You Actually Need

Many companies offer their software on a limited trial basis with the intention of converting trial users to paying customers. To hedge this bet, some companies will ask for and require much more customer information than is necessary to run the trial. This way, companies that do not convert trial users into customers can still make money selling off their data. Savvy potential customers are wary of being asked for anything more than basic contact information — often this can be as simple as a name and email address — for a trial period. If they love the product, they will sign up and provide the necessary additional information. That should be enough.

Store Customer Data Only As Long As Necessary

Along the same lines, many companies make the mistake of saving unnecessary data gleaned from either potential customers who don't ultimately sign up or from customers who have not used a product or service for an extended period of time. While it's OK to keep the data for short-term marketing and sales reasons, keeping it long-term creates greater security risks for both the company and its trial and temporary customers. Think about it: As a consumer yourself, how would you react if your own personal data was compromised because of a trial you signed up for years ago?

Consider The Risk Of Converting Data To Revenue

AI and other business intelligence tools — applied diligently to customer information — can certainly improve your marketing and sales. They can also improve the overall customer experience. However, if your business model is predicated on gathering, parceling and selling user data to advertisers, your business could be compromised right at the start. That’s a bridge too far for many customers, and no amount of assurances and settlements can set right a countervailing profit strategy. All this means is that businesses need to be proactive and public with their security and privacy practices. But it doesn’t all fall on businesses. There are websites that list companies that buy and sell data, which customers can consult.

A regulated free market compels companies to comply with security and privacy rules, even as the rules themselves evolve. Even strict compliance and honest dealings cannot guarantee the safety of your customer data. Forward-looking companies will start to distinguish themselves in the areas of customer privacy and security. They will evolve practices ranging from the mundane to the innovative to build this into a competitive advantage. Corporate practices to protect themselves and their customers may not just be driven by top-down executives or legal edicts, but could also become the daily responsibilities of all employees as they get baked into their jobs. Be part of this coming change.

Forbes Business Development Council is an invitation-only community for sales and biz dev executives. Do I qualify?
">

The widely publicized Equifax data breach of 2017 should have been a wake-up call for companies around the world to increase security measures. Two years later, in July 2019, Equifax offered a settlement agreement of up to $700 million in response to a nationwide consumer class-action lawsuit. One day after this settlement was announced, the FTC pushed Facebook to submit a review — every quarter — of the "privacy of every new product or service it develops." This was on the back of a $5 billion fine imposed by the FTC and on top of a separate fine from the SEC of $100 million. Public patience with lax security and privacy of their personal information seems to have worn thin, and businesses will need to put this right on the top of their stack of priorities. It is now a matter of business survival.

There is so much noise in the media about data breaches and other compromises that it can be hard for businesses, consumers and the general public to understand their exposure and identify credible threats. They are likely going to place this responsibility squarely on their service providers and could both litigate and take their business elsewhere if their providers do not measure up. It’s only a matter of time before another Equifax happens, and small companies will be just as vulnerable as the larger ones.

While new privacy laws are being reviewed and implemented — including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the recently proposed Data Care Act introduced in the U.S. Senate — they could become just table stakes for corporate compliance. Companies may be expected to do more — refine their business models and practices and go beyond offering mere compliance with these standards.   

As chief strategy officer at a cloud software company, I would like to share some approaches and recommendations we've considered that all software companies can undertake to address the urgent demands from their customers around security and privacy.  

Deploy Your Own Security Hackers  

Many businesses have some form of internal cybersecurity team. In software, a typical vendor will employ two teams — red and blue — that will perform regular penetration tests and create security solutions, respectively. These teams will have a lot of independence and will be removed from the traditional chains of command to ensure their autonomy and authority. Such teams are often necessary to protect customer data, but businesses should not rely solely on internal teams to ensure customer privacy and security.

One strong additional step for businesses is to hire an outside white hat hacker or hacking team to uncover weaknesses. Companies can also host private or public "bug bounty" competitions where hackers are rewarded for detecting vulnerabilities, and the companies receive third-party insight into the strength of their data security.

Build Trust Through Certificates Of Compliance

The finance and healthcare industries both have extensive compliance requirements; software companies have less stringent ones. If you want to protect your company's reputation as one that offers solid customer privacy and security, take the step to secure certificates of compliance. The baseline certification is the ISO 27001, which represents the information security standard. When you have this certification, you can help demonstrate that your company follows security best practices and conducts assessments to determine that data is adequately protected. If your company offers cloud services, consider securing a SOC 2 Type II certificate of compliance. This requires companies to establish and follow strict security policies and procedures regarding customer data.  

Limit The Customer Data You Actually Need

Many companies offer their software on a limited trial basis with the intention of converting trial users to paying customers. To hedge this bet, some companies will ask for and require much more customer information than is necessary to run the trial. This way, companies that do not convert trial users into customers can still make money selling off their data. Savvy potential customers are wary of being asked for anything more than basic contact information — often this can be as simple as a name and email address — for a trial period. If they love the product, they will sign up and provide the necessary additional information. That should be enough.

Store Customer Data Only As Long As Necessary

Along the same lines, many companies make the mistake of saving unnecessary data gleaned from either potential customers who don't ultimately sign up or from customers who have not used a product or service for an extended period of time. While it's OK to keep the data for short-term marketing and sales reasons, keeping it long-term creates greater security risks for both the company and its trial and temporary customers. Think about it: As a consumer yourself, how would you react if your own personal data was compromised because of a trial you signed up for years ago?

Consider The Risk Of Converting Data To Revenue

AI and other business intelligence tools — applied diligently to customer information — can certainly improve your marketing and sales. They can also improve the overall customer experience. However, if your business model is predicated on gathering, parceling and selling user data to advertisers, your business could be compromised right at the start. That’s a bridge too far for many customers, and no amount of assurances and settlements can set right a countervailing profit strategy. All this means is that businesses need to be proactive and public with their security and privacy practices. But it doesn’t all fall on businesses. There are websites that list companies that buy and sell data, which customers can consult.

A regulated free market compels companies to comply with security and privacy rules, even as the rules themselves evolve. Even strict compliance and honest dealings cannot guarantee the safety of your customer data. Forward-looking companies will start to distinguish themselves in the areas of customer privacy and security. They will evolve practices ranging from the mundane to the innovative to build this into a competitive advantage. Corporate practices to protect themselves and their customers may not just be driven by top-down executives or legal edicts, but could also become the daily responsibilities of all employees as they get baked into their jobs. Be part of this coming change.

Forbes Business Development Council is an invitation-only community for sales and biz dev executives. Do I qualify?

Chief Strategy Officer at Zoho Corporation overseeing strategy, channels, and various marketing and operational efforts.