There is a lot of talk surrounding the impact a cyber security breach can have on your businesses reputation. I’m going to talk about something a little different. I haven’t seen many professionals talking about the benefits to your reputation that come with having proactive operational security or the damage that’s done by not having it before a breach actually occurs (or doesn’t).
I’d like to lay out a theory I’ve had for some time, and see what you as a reader think. Before we get into it, I want to explain a couple concepts. First what is “Operational Security” when talking about business and secondly, a more obvious concept, “Reputation” and “Customer Confidence”.
Also sometimes referred to in it’s short form “OPSEC”. As you can imagine from the short form the term comes from the military. It was originally coined by an operation called “ Operation Purple Dragon” to investigate certain operational failures during the Vietnam war.
Nowadays the term is more widely used in the business, information security, and hacker communities. It typically refers to operational processes that a business or person follow to ensure data and processes are secure from threat actors (hackers). Examples of good operational security can include:
- Keeping sensitive data encrypted, at-rest and in-transit
- Using strong passwords and multi-factor authentication
- Being resistant to phishing attacks by having defined and practiced processes
- Having a healthy level of suspicion always
Reputation and Customer Confidence
These concepts are much easier to grasp, and everyone should be familiar with them. Let’s try and refine their definitions anyways as it’ll help me make the point that follows.
I’d hazard to say everyone and every business on this planet, in one way or another cares about what what people or their customers think of them. Marketing people will argue the importance of reputation even more as it leads to customer referrals that can bring more clients to your business, and increase customer retention or life time value.
Companies make very careful decisions about their actions that have outward facing consequences. They weigh the potential consequences to their good reputation, or if they already have suffered reputation damage, they want to mitigate any further damage and try and reverse the trend. Yadda, yadda, yadda, you get it.
When most talk about reputation and information security, they almost always are referring to the damage that your brand reputation will take when and after you’ve been subjected to a data breach. Your customers will lose confidence and go else where, or worse sue. New prospects will walk right-on past you to the next nearest competitor.
What about before the data breach (or assuming one never happens), could your actions, or inaction also affect the confidence your customers have in you and your reputation? That is what I want to discuss.
Let’s pose a situation
You’re a Partner of Legal IP LLP, sounds fancified doesn’t it? You operate in the intellectual property space, filing patents, trademarks, and so on on a daily basis. You’re constantly sending sensitive documents between patent offices and customers.
You have a few clients that work in the technology and security industries, they take their own operational security seriously. One of them has some patents they want filed. You ask them to email you the related patent documents for review. They send the documents over using a secure document sharing service like Lockdrop (shameless plug).
A couple weeks later while you’re processing the application. You have some questions about one of the documents and need to ask the client. You attach the document in question to an email (as is common practice) you’re writing with your questions and hit send.
Do you see what’s wrong in this picture? Maybe, maybe not, it’s a fairly common situation.
The unintended consequence of you sending that email to the client with their data unprotected in a basic email attachment, is the impact to your reputation as a competent law firm and the confidence that your client has in your ability to keep their intellectual property safe from digital threats. Their IP can only be as secure as your operational security, and in this scenario you’ve shown reckless behavior in handling it.
Most clients are unlikely to make a big fuss about you sharing their data in an insecure way, they might pose a question about whether you have a more secure way of handling the data or ask you to use a service like Lockdrop in the future. What is certain though, is that you took a hit to your reputation in that client’s eyes.
How many other clients do you have that are aware that sending sensitive documents in email isn’t secure, how does your reputation stand up with them when you’re sending sensitive documents in email back and forth with them?
What happens when your competitors start using services to protect sensitive documents sharing, and you’re still using insecure means?
Also more accurately referred to as Legal Professional Privilege is an interesting topic to look at when it comes to data security and handling by legal professionals. Essentially this privilege states that a lawyer cannot disclose the contents of the communications they’ve had with a client without that client’s explicit permission.
I’m not a lawyer, but looking at this from a logical standpoint. If a lawyer does not take steps to protect their clients communications and data from potential malicious parties by having adequate operational security. Are they not breaching their ethical requirements to protect that data?
An article written by Jeff Benion ( Can Lawyers Use The Cloud? Should Lawyers Use The Cloud?) is partially related and talks about U.S. bar association’s advice on sharing privileged client data with cloud service providers ( spoiler: the advice is fragmented, incomplete, and leaves a lot to the imagination). In my opinion this is likely because the associations realize that law firms need to keep up with technology and take advantage cloud services. However, at the same time realizing that most major cloud services have not been designed with the confidentiality needs in mind that lawyers require.
We’ve discussed legal industry and lawyers mostly, but these same concepts of how your operational security can affect your reputation and the confidence your customers have in you is equally relevant in other sectors like finance, health care, tech, and so on.
There is a movement of tech companies that are starting to respect the privacy and security of their users, and are building controls and encryption in place to ensure that in their products. I’m optimistic that as these services become more widely known, and adopted we’ll start to see recommendations from industry associations like the bar associations in legal circles or CPA (Chartered Professional Accountants) in accounting begin to refine their recommendations into more precise and actionable options for professional firms.
Please let me know what you think about my theory of how operational security can affect reputation before a breach, and on a daily basis. Comment below, send me a private message, like and share if you think the content was interesting!
I’ll be completely offline, in a remote area of the world, focusing on and refining our go-to-market strategy for my startup — Lockdrop over the next week. I will be sure to reply to any comments as soon as I’m back.
Originally published at https://www.linkedin.com.