Cybersecurity Strategies to Enable Digital Trust

Rowdha Mohammed
Author: Rowdha Mohammed, ISO 20000 LI, ISO 27001 LA
Date Published: 2 November 2022

The world is more interconnected than ever due to the market shift toward the adoption of digital transformation technologies such as the Internet of Things (IoT), cloud computing and big data. The growing demand for digital transformation is driven by organizations’ competitive desires to be leaders in their industries, increase revenues and satisfy ongoing consumer demands. One major component of digital transformation that can be used to measure its effectiveness is digital trust, which is defined as consumer confidence in how their data are processed, stored and protected. The role of cybersecurity in data protection and privacy is crucial. It is an enabler of digital trust and a key success factor of the digital transformation journey.

[Cybersecurity] is an enabler of digital trust and a key success factor of the digital transformation journey.

Data Protection Legislation Is on the Rise

As the push for digital transformation grows, there has been a global rise in laws and regulatory requirements intended to protect customers’ privacy and their online data. For example, the United Arab Emirates (UAE) government issued the Federal Decree Law No. 46 of 2021 on electronic transactions and trust services.1 The law aims to promote legal confidence in electronic transactions, protect customer rights and encourage public trust in digital services. On a broader level, in 2016, the European Union issued the General Data Protection Regulation (GDPR) that protects European individuals’ data and privacy.2

Such laws have raised the bar for organizations and encouraged them to make protecting personal data and privacy a top priority. Any breach and disclosure of data can lead to financial penalties and reputational damage, which are directly tied to the loss of digital trust.

News of data breaches that occur around the world spreads seemingly at the speed oflight, putting organizations’ reputations at risk. AON, a financial service firm, announced in June 2022 that 145,889 of its customers had their sensitive information put at risk as a result of a data breach. AON faced at least 2 lawsuits for the security lapse.3 Similarly, in 2020, an investigation was conducted to assess whether the Tim Hortons franchise’s application (app) violated privacy laws by collecting data about the physical location of app users. The app’s permissions were misleading, as it told users that their location would only be tracked while the app was in use.4 Circumstances such as these can affect an enterprise’s reputation and have a negative impact on digital trust.

Cyber Strategies Can Increase Digital Trust

A proactive cybersecurity program can play a crucial role in fostering digital trust. There are a number of strategies that support digital trust that an enterprise can implement as part of its cybersecurity program:

  • Adopt best practices and standards—There are many frameworks and best practices an organization can adopt for a better cybersecurity posture. For example, International Organization for Standardization (ISO) standard ISO 27001:2013 outlines the specifications required for an information security management system.5 Conformance to ISO 27001 requirements provides assurance to consumers that the organization is capable of protecting its data and is acting in accordance with best practices. In addition, organizations can be audited against the Service Organization Control (SOC) 2 Framework based on 5 trust principles: security, availability, processing, integrity and confidentiality.6 To ensure conformance to SOC 2 principles, organizations must implement cybersecurity controls for each principle listed (e.g., the principle of security can be achieved through access management systems, intrusion detection systems [IDSs], firewalls).
  • Strengthen security policies—Organizations should establish an information security policy or strengthen any existing ones to outline top management’s commitment to achieving a robust security posture. This may require security responsibilities to be delegated to departments across the organization to protect assets from internal and external threats. The information security policy should highlight the principals of the confidentiality, integrity, and availability (CIA) triad and address domains such as data encryption, access control, human resources, and third-party security. A thorough policy should highlight security roles and responsibilities and describe the disciplinary action the organization will take in the event of noncompliance with policy requirements.
  • Monitor human behavior—Solid cybersecurity starts within the organization. To achieve this, employees must be aware of their responsibilities to be compliant with security policies. A targeted security awareness program can be implemented to improve employee awareness, particularly for employees who are working with daily IT infrastructure operations. An organization can have a single security policy or a set of multiple security policies in addition to operating procedures. A policy should not be a mere document that is drafted, approved and stored on a shelf. Rather, organizations must take a step further to implement and monitor their security policies. A proper security awareness program requires employees to acknowledge the policies to which they must adhere. For example, a system administrator should know about the organization’s policy requirements for password configuration, privileged access and cloud security. A security guard should be aware of the physical security procedure requirements such as the visitor log, prohibited areas in the organizations and security clearance protocols.
  • Invest in cybersecurity—Investments in cybersecurity infrastructure, awareness and tools have increased recently due to ongoing cyberattacks targeting well-known enterprises such as Amazon, eBay and CNN.7 Announcing investments in cybersecurity has become a strategy to gain consumer trust. However, investment decisions should be made based on risk assessments and the quantification of unique threats. Investments should not be reduced to an attempt to acquire tools that every organization is competing to implement.

Conclusion

In the era of digital transformation, it is crucial for organizations to invest heavily in gaining and establishing digital trust. Digital trust can be achieved through organizations’ commitments to establish solid cybersecurity programs and strategies that aim to protect customers’ personal data and privacy.

Endnotes

1 Baker McKenzie, “United Arab Emirates: Update to Electronic Transactions Law to Align With National Digital Vision and Strategy,” 22 December 2021
2 GDPR.eu, “What Is GDPR, the EU’s New Data Protection Law?
3 Console Jr., R.; “Aon, PLC Revises the Number of Parties Affected by Recent Data Breach,” JD Supra, 28 June 2022
4 Office of the Privacy Commissioner of Canada, ”Tim Hortons App Violated Privacy Laws in Collection of Vast Amount of Sensitive Location Data,” 1 June 2022
5 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001:2013 Information technology—Security techniques—Information security management systems—Requirements, Switzerland, 2013
6 American Institute of CPAs (AICPA), “SOC 2—SOC for Service Organizations: Trust Services Criteria,” USA
7 Stouffer, C.; “DDoS Attacks: A Simplified Guide + DDoS Attack Protection Tips,” Norton, 20 April 2022

Rowdha Mohammed, ISO 20000 LI, ISO 27001 LA

Is an experienced compliance monitoring manager with a focus on information security, network technologies, governance and risk management. In this role, she helped establish a compliance assurance framework and implemented a combined IT and information security framework.