It shouldn't take much to convince companies to invest more in protecting their customers' personally identifiable information (PII). After all, the collection of end users' addresses, birth dates, social security numbers, credit card and bank account information is not just important, it's absolutely critical—tremendous brand damage ensues when hackers leak this data.
Believe it or not, we still engage organisations who are cutting corners in handling their customer's data. If these companies are doing business in the European Union, they are in for a rude awakening once the General Data Protection Regulation (GDPR), legislation that will punish businesses severely for mishandling PII, goes into effect next May. Protecting this data goes beyond your internal data governance processes—it tests how well the business governs customer data beyond the firewall. What measures are being taken to adequately protect customer data with external cloud vendors, for example?
Hackers are only getting more sophisticated—and digital applications more complex, typically being a conglomerate of technologies from different vendors deployed across many platforms. Enterprises are having boardroom discussions around customer identity security. PII protection is not just a job for a single internal IT group. With growing regulations around customer data, third-party validation for handling sensitive data is now a must.
This is hardly a news flash for tech giants like Microsoft, Amazon Web Services and Google, which have renewed third-party PII-handling certifications annually for some time now, and tend to see security validation as a basic cost of doing business. However, many cloud providers that do extensive business in the EU still wince at the time, hassle and expense of these certification processes. With GDPR looming, here are four reasons why cloud providers smaller than AWS and the like need to view third-party, customer PII–specific certifications as a necessity rather than a luxury:
1. GDPR violations will be expensive
This is a no-brainer. Companies could potentially incur fines of €20 million or four percent annual global revenue for GDPR noncompliance, and the EU will be looking to make an example out of companies as soon as the regulation goes into effect. GDPR is expanding the definition of PII to include a comprehensive range of information including IP addresses, mobile device numbers, and biometric information such as fingerprint or facial recognition data, which is all high-value for bad actors.
The EU's message is clear: safeguarding customers' most precious data better be one of your highest business objectives, or it will cost you.
2. Standards have improved dramatically
A few years ago, the Cloud was still talked about like it was the Wild West. But now the industry is significantly mature, and best practices have been steadily refined and improved. Standards bodies such as the Cloud Security Alliance (CSA) and the International Organisation for Standardisation (ISO) continue to evolve their standards offerings to deliver purpose-specific IT security-testing services. These organisations have thought about elements of PII protection that many haven't conceived of, or at a minimum they likely have not remediated the gaps.
3. Certification saves your clients hassle, too
Meeting the exacting standards of bodies like ISO and CSA doesn't just benefit you, it saves your clients and prospects the expense and trouble of performing their own security audits in their vendor evaluations. Potential customers fret quite a bit about the viability, stability and reliability of smaller technology providers—a fact of life when you're not an established stalwart like Microsoft.
Investing up front in third-party certification specifically for PII management demonstrates the vendor's commitment to security and provides peace of mind for all parties—the vendor, its clients and the latter's customers.
4. Hackers will find the weakest link
GDPR violations notwithstanding, mishandle PII and your business is likely ruined. Hackers evolve their methods almost as fast as best practices improve, so it is critical to stay on top of them.
Many companies settle for self-audits—CSA's Level 1 certification is essentially a self-assessment, for example, that entails little more than filling out a questionnaire. Does your IT department know everything these standards bodies know? Still think you don't need the perspective of an independent auditor?
At the end of the day, saving on PII certification could be penny-wise and pound-foolish. You shouldn't need GDPR to make it a business imperative.
Jim Kaskade is CEO of customer identity and access company Janrain
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.