Dave Bittner: [00:00:01:11] You can show your support for the CyberWire by visiting patreon.com/thecyberwire, and signing up today, to help support our show. Thanks.
Dave Bittner: [00:00:12:21] Our podcast team is taking a bit of a break this week for the upcoming Thanksgiving holiday. But not to worry, we've got brand new extended interviews with interesting people lined up for you, and you can still get your daily dose of cybersecurity news on our website thecyberwire.com, where you can subscribe to our daily news brief and stay up on the latest. Stay with us.
Dave Bittner: [00:00:38:22] A quick note about our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too - especially when it comes to machine-learning and Artificial Intelligence. You can get a free white paper that explains these new, but proven, technologies at e8security.com/cyberwire. We all know that human talent is as necessary to good security as it is scarce and expensive; but machine-learning and Artificial Intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine-learning - where a human teaches the machine - might seem the best approach, in fact unsupervised machine-learning can show the humans something unexpected. Cut through the glare of information overload, and move from data to understanding. Check out e8security.com/cyberwire and find out more. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:46:04] My guest today is Jocelyn Aqua. She's a Principal at PwC, where her specialty is regulatory privacy and cyber security. Our conversation centers on a recently published report from PwC called Protect Me; what they describe as an in-depth look at what consumers want, what worries them, and what companies can do to earn their trust and their business.
Jocelyn Aqua: [00:02:07:18] You know, we have a very large privacy and cybersecurity team, and they're focused on helping companies globally trying to navigate the privacy and cybersecurity laws globally. We have had a lot of discussions with consumers in the private sector, and companies, trying to figure out why there's this feeling of distrust, and why they're getting a lot more questions and requests for data, and trying to figure out what's behind that. But, you can tell that there are a lot of individuals, based on the survey, that are not happy right now with the level of protection their data's receiving.
Dave Bittner: [00:02:46:09] Yeah, well take us through that. What are some of the key findings that you have here?
Jocelyn Aqua: [00:02:50:07] Well, I think the, the one is, the big one, the takeaway is that, only 25% of consumers feel like companies handle their personal information responsibly. That's a--That means 75% of people are very concerned, and are feeling like their data is, is vulnerable to hacks, that their sensitive data is not taken responsibly and used responsibly, that--88% said that, that companies' willingness to share information is predicated on trusting the company, and so therefore, if there's a lack of trust, that there really is a, a disinterest in, or a lack of interest in having data being used by companies for reasons that are other than what they gave it to them for.
Dave Bittner: [00:03:34:04] And is there any sense of what consumers want? How, how can we make this better from their point of view?
Jocelyn Aqua: [00:03:41:06] Sure. Well, I think first that having a plan to take action when there is cyber threat is very important, that consumers are expecting companies to take strong cybersecurity measures, and that it's the responsibility of, of that company and not the government to really protect the data. That companies are really, are--have to step up a little bit more and be demonstrating that they hire trustworthy data stewards, that they have strong cybersecurity programs in place, that if there is a hack that there is something that can be done to, to either show that they're making amends, and that there's more transparency in how data's being used, and shared, and retained. And I think that all has to do with increasing trust through transparency and communication.
Dave Bittner: [00:04:32:08] It was interesting to me, looking through some of the results, that 82% said that governments should regulate companies' use of data, and 80% said that government regulation of new technologies is crucial for consumer protection. So it fee--It seems to me like, in this department anyway, people perhaps want more regulation?
Jocelyn Aqua: [00:04:52:04] Well, I think part of it is just emerging technology is, is very new and unknown, and the, the use of AI, the use of interconnected devices has caused a lot of insecurity. They--People see them as vulnerable and open to either data breaches, or open to being used for purposes that are unknown, or, or perhaps could be used for more invasive consideration of people's information. And so, that tied into the fact that there's so many daily hacks, thinking that if the government could do more regulation in this regard, that that data would be more protected. Now at the same time, I think that there is also not necessarily a belief that government is going to be able to regulate right now; especially in the cyber context. And so they're--consumers are also saying that companies and the--while there are gaps, need to step up. And so, I think it's two-fold: needing--expecting, wanting the government to help regulate and make data more protected, but at the same time realizing that companies need to take control of themselves.
Dave Bittner: [00:05:59:10] I, I wonder, do you think this is a, a situation where companies could actually use security and privacy as a differentiating factor? I'm thinking of, of how, you know, some car brands would use safety as something that they would advertise, you know, like Volvo would say, our cars are safe.
Jocelyn Aqua: [00:06:16:01] Yes, certainly. I mean we are working with companies that are taking--Especially in terms of using the requirements of the EU General Data Protection Regulation - which many multinational companies are having to consider now - which has caused them to have to rethink how they're treating data, what they're doing with their data in their systems, how they're using it; and it's been sort of a foundational change in many US and glo--and multinationals to reconsider data protection and data security. This has been a trigger to really start thinking about data as both an opportunity to make money for a company, but also use the time and the opportunity as they're starting to secure their systems and build privacy in as a way to differentiate themselves. To say that, I really take privacy seriously, I want my employees to know that, I want my consumers to know that. I'm giving them more choices in how I--they--I use their data. I am protecting it in a way that's clear and transparent. It's been a trigger for many companies to start thinking. I think that coupled with the constant data breaches, I think that together is making companies start to really rethink both security and privacy as being really one of the top issues for, for companies today; especially ones that want to retain their customers and their consumers, and they want to be able to personalize service and have the ability to use data to benefit their industry.
Dave Bittner: [00:07:52:03] And I wonder too, with cybersecurity being something that I think for many consumers is mysterious, is there a need for a third party testing organization? You know, again, similar to the way that cars are tested for safety by a third party and they get rated, you know, if a company tells me that they're handling my data in a secure way and, and I say to, to them, prove it, that proof will probably come back to me in a way that is over my head.
Jocelyn Aqua: [00:08:17:22] Well, you know, I, I think many companies do use outside sources to test their systems, to make sure - both on the cybersecurity assessments and privacy assessments - to see if the, if the policies and procedures and practices of a company are actually being enforced. To see whether that the security of a, of a company is really actually what, what it says on paper. I think it's essential to have inside audit, out--external audit, some, some certification process. You know, interestingly the GDPR does not yet have a certification, but it does require companies to regularly audit and test, and make sure that what is coming in from the top is actually happening throughout the entirety of an enterprise.
Dave Bittner: [00:09:05:09] You know, one of the things that the survey looked at was the types of businesses that consumers trust most. Can you take us through who gets the highest rankings and who needs to up their game?
Jocelyn Aqua: [00:09:16:03] Yeah. You know, it was a little bit surprising to me. Banks and, and hospitals seemed to garner the most trust. I think both of them have some significant regulations, so that might be one of the factors in why. If you, you think of your financial institutions as, as being highly regulated, so they seem to have more trust. The health industry as well. I--You know, we were talking internally about this, and I think part of it has to do with your relationship with your bank and your, and your hospital and your, your healthcare providers. Where there is more open communication, and more personalized communication, I think there is a belief that there is more of a trust. Whereas, where there is a lack of an understanding of what, what's happening to your data - like in the technology, media and telecommunications industries - I think there is less control over data use, and there's less control over information and conversation between you and the providers, that I think it, it breeds fear and, and misunderstanding. It also allows for more vulnerability; I think people feel like their data's not being protected in the same way.
Dave Bittner: [00:10:24:01] One of the interesting elements in this survey was looking at different types of technology consumers--with, with emerging technologies. And I, I sort of raised an eyebrow when I saw that the top concern was chips in human skin. And I, and I mean, to me, this speaks more than any sort of technological reality, is perhaps, perhaps we have a PR and educational problem at hand here.
Jocelyn Aqua: [00:10:53:13] Well, I think those are the types of, of uses that get a lot of press.
Dave Bittner: [00:10:57:07] Right.
Jocelyn Aqua: [00:10:57:14] And, you know, and, and it really is seen as a, you know--when it's being done now and used, it's used to allow people to have freedom and it is, right now, used in some, in, in very early testing stages, but in certainly very small percentage of companies. But it is, it's, it's something where it, it brings up the whole issue of tracking, and what is acceptable to humans, and at what stage does tracking an individual become really a threat to their privacy or a choice.
Jocelyn Aqua: [00:11:28:13] If you're, or if you have a company and you're monitored, and that's part of your company's framework, you lose really your choice, you need to leave and do something else. And there is a growing trend of both for security and for, for efficiency, tracking employees. There's also the way to, to personalize service is to, is to really have a better, you know, understanding of people's activities, and that sometimes is being done now through AI and other, and other emerging tech practices. Now, that breeds distrust because people are not sure how this is going to work.
Jocelyn Aqua: [00:12:06:18] And so I think one of the big takeaways is that, as we start moving towards these very exciting opportunities to use technology for the better - to improve healthcare, to promote cybersecurity, to increase privacy - the fact that it can be used also to harm privacy and to invade people's personal space, and the fact that there is a real significant lack of regulatory or federal law to prevent some of this, that it's incumbent upon companies to be very transparent and to allow for some choices.
Jocelyn Aqua: [00:12:41:09] The, the privacy laws are all starting to become very, very similar. Everybody is, is writing their laws in a way that, that really tracks more the European philosophy of privacy than just the, the United States philosophy of, of promoting innovation first. And as, as other countries, and Asia, and South America start to right towards the GDPR, I think there needs to be more of a, of a consideration of when companies start building these types of, of frameworks, and you rely on such new and interesting technology to help personalize service and, and help really understand their customers. I think it's incumbent upon them to also make sure that they're open and, and provide clear guidelines as to what they're doing.
Dave Bittner: [00:13:31:07] We'll be back with the second half of my conversation with Jocelyn Aqua after this break.
Dave Bittner: [00:13:38:18] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent CylancePROTECT engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans, and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive, and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:14:38:05] The survey also looked at what companies can do after a data breach to try to earn back trust from the consumers. Take us through, what did you learn there?
Jocelyn Aqua: [00:14:47:16] I think a lot of this has to do with communication, and trust is won back by communication as to what happened, what you're doing to fix it, what kind of benefits you're going to provide in the meantime to protect the data that has been leaked, and to provide some sort of steps that they're going to take to remediate these gaps in their security in the future. I think, because of the fact that there are so many, there isn't that high level of fleeing companies because of a data breach, as long as these steps are taken. I think what happens afterwards is--a breach and public discourse about improper or unexpected data use, is where I think brands-- or people are finally looking at a, at a company and saying, I don't think that that's where I want my information to stay. And so it's this, it's really this back and forth level of, of open communication, and information about why they're taking the steps, these incremental steps, to try to prevent this from happening again.
Dave Bittner: [00:15:54:20] Yeah. If I think about, you know, something like a bank, you know, as long as my bank has proper care of my money, my safe deposit box, that sort of thing - you know, I walk in that bank and I see, there's the vault and that's where all of the, you know, things are stored safely - if someone robs my local bank, I tend to not blame the bank, I'm going to tend to blame the bank robber. And I, I, feel like we're not quite there yet with consumers feeling like, perhaps organizations have, have that vault, they've done everything they can where it's really, you know, it's the robber's responsibility and not the banks.
Jocelyn Aqua: [00:16:28:04] Right. I, I think that's because, as a whole, companies haven't been as clear that they're meeting the highest levels of security standards. What you find out afterwards in some of these breaches, is that easy fixes, easy resolution could have prevented many of them; that some of them are just human error and there's not enough training; some of them are, are because patches were not patched. And that, that's frustrating to consumers, that more could have been done to prevent this; and that if there's a situation where it's a nation state actor, that the system was as secure as possible, you know, in modern times, then I think there's less of a threat to the company. I think that unfortunately, what's happening is you're seeing that so many of these actions could have been been prevented. And, you know, if, if a company can't prevent it, you know, can't just do the basic, standard cybersecurity protocols, then it does really start to erode your trust.
Dave Bittner: [00:17:30:21] So take us through some of the recommendations. Based on the information you've gathered, how can companies do a better job of putting consumers at ease?
Jocelyn Aqua: [00:17:38:24] So I, I would say that the first and foremost is putting cybersecurity and, and privacy really at the top of your business strategy - from top down - and figuring out ways to address it publicly and, and, and discuss your efforts in place. That you build trust--And this is what I think comes through on the paper is that, companies really need to implement robust data governance and give consumers this control over how their information is used. It has to be more than just speaking about it though. It has to really show in your web pages, and in your discussions, and your public statements that you are thinking about this and making it a foremost top priority.
Jocelyn Aqua: [00:18:19:07] I think that because of the fact that we don't have existing federal regulations on some of these issues, there's a lot of discussion about, you know, a Federal Data Breach Notification law, but it hasn't happened. I think that companies really just need to keep up with innovation and work internally to figure out how they can--whether it's adopting a global framework, in a framework such as the European Data Protection Regulation - GDPR - or do other efforts internally to earn trust, is important. I think monitoring the trust of both employees and consumers - this is focused on consumers, but I think that employees as well, it's required in other countries to treat them the same - and I think being transparent when you're using new, new technology.
Jocelyn Aqua: [00:19:05:12] Companies that demonstrate that they use technology responsibly - that when there are these outlier companies that are chipping their employees, you know, that requires additional socialization and, and, and I think, even greater choice and discussions - but for just your normal company that's using data in ways that are maybe not what the consumer expected when they first filled in an email request on the website, being more transparent, I think, is important.
Dave Bittner: [00:19:35:11] Thanks to Jocelyn Aqua for joining us. You can read the full report, Protect Me, on the PwC website; it's part of their Consumer Intelligence series.
Dave Bittner: [00:19:46:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible; especially our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit cylance.com.
Dave Bittner: [00:19:58:18] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.