Consumer groups put more value on security
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
In 2001, software company Oracle began marketing a new database product with the claim that its cyber security was “unbreakable”. Within days, researchers had found vulnerabilities to hacking.
At the time, Oracle tried to double down on its security message but, today, more than 20 years later, consumers have become as sceptical about companies’ security claims as cyber professionals. Less than a quarter of consumers in the UK, for example, are confident that businesses adequately secure their personal information, according to research carried out last year by the Information System Audit and Control Association (Isaca).
Data security has rapidly made its way into the public consciousness, with the growth of social media platforms and the introduction of new rules, such as the General Data Protection Regulation in the EU. But, despite the drop in customer confidence, data consultant Caroline Carruthers — who became one of the UK’s first chief data officers when she took the position at National Rail — believes this increased consumer engagement results in more informed decisions.
It also makes consumer businesses place more value on cyber security. “Boards genuinely understand that cyber security is either a competitive advantage or something that can cause them real harm if they get it wrong,” Carruthers says.
Where, once, companies treated cyber security like insurance — a necessary outlay on something they hoped never to use — they now recognise it as an opportunity for business growth, says Chris Cooper, a chief information security officer who works for consultancy Fractional Execs. “There is value in promoting your cyber security to consumers,” he argues. “Transparency between the consumer and the business is key to digital trust.”
Financial services was one of the first sectors to focus on cyber security in its advertising — in part to reassure customers as apps and digital services replaced in-person visits to branches. For example, in 2017, HSBC’s “The Secret Den” TV ad promoted its voice-activated security. However, now the emphasis is on cyber security education, says Paul McGuigan, strategy director at brand consultancy ThreeTenSeven. He cites a campaign from challenger bank N26 in which normal people — like a club bouncer and a fisherman — explain cyber security concepts.
But Mark Rampton, head of cyber security at Starling Bank, does not believe cyber security should be used as a sales tactic. “We care about our security because our customers deserve nothing less — it’s not a marketing and media push,” he says. “Our main content focus is practical advice for customers to protect themselves from scams.”
In the health sector, marketing campaigns about data protection and usage tend to serve a very different purpose to sales-focused advertising, says McGuigan. For many healthcare services, the priority — and the challenge — is to increase consumer trust by clearly communicating why personal information is essential for healthcare services to collect and use.
“Generally, there’s a lack of understanding that, to keep moving forward at pace, healthcare and medical science need to access and share data — for purposes like research and joined-up care,” he says. “There are safeguards in place, but they are poorly understood and therefore untrusted by the public.”
He thinks healthcare has been less proactive and strategic in telling a compelling story about the benefits of allowing personal data to be used — an approach that has been shown to reduce consumer anxiety about security.
Some companies are now trying to share best practice on health data sharing. In the US, when the Roe vs Wade ruling permitting abortions was overturned in 2022, female health app Flo Health launched Anonymous Mode — allowing users to report health data in a way that is not connected with any personal information they shared when signing up. Rather than treating the feature as a selling point, Flo has since open-sourced the technology to encourage other health apps to adopt the same practice.
“Privacy, security and data protection standards should be a focus for all wellness apps,” argues Sue Khan, data protection officer at Flo Health. “We believe that when women’s health products compete on privacy and security, the user loses.”
Users need to be able to assess a company’s cyber security credentials — the question is how this can be done, says Matt Eustace, data protection officer at data insights company Aiimi. Certifications, such as the UK’s Cyber Essentials Plus, are helpful, but unfamiliar to consumers.
“To help consumers make informed purchases with information security in mind, we need a system which evidences cyber security credentials in a more accessible way,” Eustace says.
He suggests a simple 1-5 scoring system could be universally adopted — an idea similar to the “green-amber-red” system that Carruthers says she put forward for the UK government’s National Data Strategy.
Cyber professionals believe it is better if companies disclose their security credentials — even if it makes them a target for ego-oriented hackers.
“You don’t want to say you have ‘unbreakable security’ because all security is fallible,” says Quentyn Taylor, director of information security at Canon Europe. “But I don’t think there are any disadvantages to being open and honest that you are confident in your cyber security — as long as you have an incident plan in place.”