CyberWire Daily - PwC Principal Jocelyn Aqua on Earning Consumer Trust and Business
Episode Date: November 20, 2017Our guest today is Jocelyn Aqua. She’s a principal at PwC, where her specialty is regulatory privacy and cybersecurity. Our conversation centers on a recently published report from PWC called Protec...t Me, what they describe as an in-depth look at what consumers want, what worries them, and what companies can do to earn their trust and their business. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our podcast team is taking a bit of a break this week for the upcoming Thanksgiving holiday.
But not to worry, we've got brand new extended interviews with interesting people lined up for you. And you can still get your daily dose of cybersecurity news on our
website, thecyberwire.com, where you can subscribe to our daily news brief and stay up on the latest.
Stay with us.
My guest today is Jocelyn Acqua.
She's a principal at PwC, where her specialty is regulatory privacy and cybersecurity.
Our conversation centers on a recently published report from PwC called Protect Me,
what they describe as an in-depth look at what consumers want, what worries them, and what companies can do to earn their trust and their business.
You know, we have a very large privacy and cybersecurity team, and they're focused on
helping companies globally trying to navigate the privacy and cybersecurity laws globally.
We have had a lot of discussions with consumers and the private sector and companies trying to
figure out why there's this feeling of distrust
and why they're getting a lot more questions and requests for data and trying to figure out what's
behind that. But you can tell that there are a lot of individuals based on the survey that are not
happy right now with the level of protection their data is receiving. Yeah, take us through that. What are some of the key findings that you have here?
Well, I think the big one, the takeaway, is that only 25% of consumers feel like companies
handle their personal information responsibly.
That means 75% of people are very concerned and are feeling like their data is vulnerable
to hacks, that their sensitive data is not taken responsibly and used responsibly,
that 88% said that that company's willingness to share information
is predicated on trusting the company.
And so therefore, if there's a lack of trust,
that there really is a disinterest or lack of interest
in having data being used by companies
for reasons that are other than what they gave it to them for.
And is there any sense of what consumers want?
How can we make this better from their point of view?
Sure. Well, I think first that having a plan to take action when there is cyber threat is very important,
that consumers are expecting companies to take strong cybersecurity measures, and that it's the
responsibility of that company and not the government to really protect the data, that
companies are really have to step up a little bit more and be demonstrating that they are
trustworthy data stewards, that they
have strong cybersecurity programs in place, that if there is a hack, that there's something that
can be done to either show that they're making amends and that there's more transparency in how
data is being used and shared and retained. And I think that all has to do with increasing trust through
transparency and communication. It was interesting to me looking through some of the results that
82% said that government should regulate companies' use of data, and 80% said that
government regulation of new technologies is crucial for consumer protection. So it seems to
me like, in this department anyway, people
perhaps want more regulation? Well, I think part of it is just emerging technology is very new
and unknown. And the use of AI, the use of interconnected devices has caused a lot of
insecurity. People see them as vulnerable and open to either data breaches or open to being
used for purposes that are unknown or perhaps could be used for more invasive consideration
of people's information. And so that tied into the fact that there's so many daily hacks,
thinking that if the government could do more regulation in this regard that that data would
be more protected now at the same time i think that there is also not necessarily a belief that
government is going to be able to regulate right now especially in the cyber context and so their
consumers are also saying that companies in the while there are gaps need to step up
and so i think it's the twofold, expecting,
wanting the government to help regulate and make data more protected, but at the same time,
realizing that companies need to take control of themselves.
I wonder, do you think this is a situation where companies could actually use security and privacy
as a differentiating factor? I'm thinking of how some car brands
would use safety as something that they would advertise, like Volvo would say, our cars are safe.
Yes, certainly. I mean, we are working with companies that are taking, especially in terms of
using the requirements of the EU General Data Protection Regulation, which many multinational companies
are having to consider now, which has caused them to have to rethink how they're treating data,
what they're doing with their data in their systems, how they're using it. And it's been
sort of a foundational change in many US and multinationals to reconsider data protection and data security.
This has been a trigger to really start thinking about data as both an opportunity to make money for a company,
but also use the time and the opportunity as they're starting to secure their systems and build privacy in as a way to differentiate themselves, to say that
I really take privacy seriously. I want my employees to know that. I want my consumers
to know that. I'm giving them more choices in how I use their data. I'm protecting it in a way
that's clear and transparent. It's been a trigger for many companies to start thinking. I think that
coupled with the constant data breaches,
I think that together is making companies start to really rethink both security and privacy as
being really one of the top issues for companies today, especially ones that want to retain their
customers and their consumers, and they want to be able to personalize service and have the ability to use data to benefit their industry.
cars are tested for safety by a third party and they get rated. If a company tells me that they're handling my data in a secure way and I say to them, prove it, that proof will probably come
back to me in a way that it's over my head. Well, I think many companies do use outside
sources to test their systems to make sure both on a cybersecurity assessments and privacy
assessments to see if the policies and
procedures and practices of a company are actually being enforced to see whether that the security of
a company is really actually what it says on paper. I think it's essential to have inside audit,
external audit, some certification process. Interestingly, the GDPR
doesn't not yet have a certification, but it does require companies to regularly audit and test and
make sure that what is coming in from the top is actually happening throughout the entirety of an
enterprise. One of the things that the survey looked at was the types of businesses
that consumers trust most. Can you take us through who gets the highest rankings and who needs to
up their game? Yeah, you know, it was a little bit surprising to me. Banks and hospitals seem
to garner the most trust. I think both of them have some significant regulations. So that might be one of the factors and why,
if you think of your financial institutions as being highly regulated.
So they seem to have more trust.
The health industry as well.
We were talking internally about this.
And I think part of it has to do with your relationship with your bank
and your hospital and your healthcare providers,
where there is more open communication and more personalized communication,
I think there's a belief that there's more of a trust.
Whereas where there is a lack of an understanding of what's happening to your data,
like in the technology, media, and telecommunications industries,
I think there is less control over data use,
and there's less control over information and the conversation between you and the providers that I think it breeds fear and misunderstanding.
It also allows for more vulnerability.
I think people feel like their data is not being protected in the same way. One of the interesting elements in this survey was looking at different types of technology and consumers with emerging technologies. And I sort of raised an eyebrow when I more than any sort of technological reality is perhaps we have a PR and educational problem at hand here.
Well, I think those are the types of uses that get a lot of press.
Right. done now and used, it's used to allow people to have freedom. And it is right now used in some
in very early testing stages, but in certain very small percentage of companies. But it is it's
something where it brings up the whole issue of tracking and what is acceptable to humans.
And at what stage does tracking an individual become really a threat to their privacy or
a choice? If you have a
company and you are monitored and that's part of your company's framework, you lose really your
choice. You need to leave and do something else. And there is a growing trend of both for security
and for efficiency tracking employees. There's also the way to personalize service is to really have a better understanding of people's activities.
And that sometimes is being done now through AI and other emerging tech practices.
Now, that breeds distrust because people are not sure how this is going to work. And so I think one of the big takeaways is that
as we start moving towards these very exciting opportunities to use technology for the better,
to improve healthcare, to promote cybersecurity, to increase privacy, the fact that it can be used
also to harm privacy and to evade people's personal space. And the fact that there is a real significant
lack of regulatory or federal law to prevent some of this, that it's incumbent upon companies
to be very transparent and to allow for some choices. The privacy laws are all starting to
become very, very similar. Everybody is writing their laws in a way that really tracks
more the European philosophy of privacy than just the United States philosophy of promoting
innovation first. And as other countries in Asia and South America start to write towards the GDPR,
I think there needs to be some more of a consideration
of when companies start building these types of frameworks and rely on such new and interesting
technology to help personalize service and help really understand their customers. I think it's
incumbent upon them to also make sure that they're open and provide clear guidelines as to what they're doing.
We'll be back with the second half of my conversation with Jocelyn Acqua after this break.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way
of life. You'll be solving
customer challenges faster with agents,
winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. her career on hold to stay home with her young son. But her maternal instincts take a wild and
surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home black cloaks award
winning digital executive protection platform secures their personal devices home networks
and connected lives because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more
at blackcloak.io. The survey also looked at what companies can do after a data breach to try to earn back trust from the consumers.
Take us through what did you learn there?
I think a lot of this has to do with communication.
And trust is won back by communication as to what happened, what you're doing to fix it,
by communication as to what happened, what you're doing to fix it, what kind of benefits you're going to provide in the meantime to protect the data that has been leaked, and to provide some
sort of steps that they're going to take to remediate these gaps in their security in the
future. I think because of the fact that there are so many, there isn't that high level of fleeing companies because of a data
breach as long as these steps are taken. I think what happens afterwards is a breach and public
discourse about improper or unexpected data use is where I think brands are, people are finally
looking at a company and saying, I don't think that that's where I want my
information to stay. And so it's really this back and forth level of open communication and
information about why they're taking the steps, this incremental steps to try to prevent this
from happening again. If I think about something like a bank, you know, as long as my bank has a proper
care of my money, my safe deposit box, that sort of thing, you know, I walk in that bank and I see
there's the vault and that's where all of the, you know, things are stored safely. If someone
robs my local bank, I tend to not blame the bank. I'm going to tend to blame the bank robber. And I
feel like we're not quite there yet with consumers feeling like
perhaps organizations have that vault, they've done everything they can where it's really,
you know, it's the robber's responsibility and not the bank's.
Right. I think that's because as a whole, companies haven't been as clear as what that
they're meeting the highest levels of security standards. What you find out afterwards
in some of these breaches is that easy fixes, easy resolution could have prevented many of them,
that some of them are just human error and there's not enough training. Some of them are because
patches were not patched. And that's frustrating to consumers, that more could have been done to prevent this.
And that if there's a situation where it's a nation state actor, that system was as secure
as possible in modern times, then I think there's less of a threat to the company. I think that
unfortunately what's happening is you're seeing that so many of these actions could have
been prevented. And, you know, if a company can't prevent it, that, you know, can't just do the
basic standard cybersecurity protocols, then it does really start to erode your trust.
So take us through some of the recommendations based on the information you gathered. How can
companies do a better job of putting consumers at ease?
So I would say that the first and foremost is putting cybersecurity and privacy really at the top of your business strategy from top down
and figuring out ways to address it publicly and discuss your efforts in place that you build trust. And this is what I think comes through on the paper,
is that companies really need to implement robust data governance and give consumers this control
over how their information is used. It has to be more than just speaking about it, though.
It has to really show in your web pages and in your discussions and your public statements
that you are thinking about this and making it a foremost top priority. I think that because of the fact that we don't have existing federal regulations
on some of these issues, there's a lot of discussion about a federal data breach notification
law, but it hasn't happened. I think that companies really just need to keep up with innovation and
work internally to figure out how they can, whether it's adopting a global framework in a framework such as the European Data Protection Regulation, GDPR, or do other efforts internally to earn trust is important.
I think monitoring the trust of both employees and consumers.
This is focused on consumers, but I think that employees as well, it's required in
other countries to treat them at the same. And I think being transparent when you're using new
technology, companies that demonstrate that they use technology responsibly, that when there are
these outlier companies that are chipping their employees, that requires additional socialization and I think even greater choice and discussions.
But for just your normal company that's using data in ways that are maybe not what the consumer expected when they first filled in an email request on the website, being more transparent, I think, is important.
Our thanks to Jocelyn Aqua for joining us.
You can read the full report, Protect Me, on the PwC website. I think is important. Our thanks to Jocelyn Aqua for joining us.
You can read the full report, Protect Me, on the PwC website.
It's part of their Consumer Intelligence series.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Hello, dearest listener.
In the thick of the winter season,
you may be in need of some joie de vivre.
Well, look no further, honey,
because Sunwing's Best Value
Vacays has your budget-friendly escapes all the way to five-star luxury. Yes, you heard correctly,
budget and luxury all in one place. So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing. Oh, and book by February 16th with your local travel advisor or at... And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.