‘Good Cybersecurity Can Be Good Marketing’. So went the headline of a Harvard Business Review article written by academicians James Lucas, Laurence Minsky and Ben DiSanti in 2016. Their point was that “leveraging online security measures as a way to build trust with shoppers” would ultimately lead to more sales.
By the same token, bad cybersecurity practices ought to hurt a company, right? Yes, but only if users come to know of the security breaches at the companies and brands they have signed up for, with or without sensitive information.
What if the users have no clue? This scenario isn’t an imagined one. In India, companies aren’t legally bound to make public such breaches.
This issue came to the fore a few weeks ago, when fast food chain McDonald’s India asked users to update its app as a “precautionary measure.” It further said that the app doesn’t store sensitive financial information of its users, and that it is safe to use. The McDonald’s statement didn’t come from nowhere. It came on the back of a blog post by cybersecurity start-up Fallible, which had noted that the McDonald’s app is “leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links.” In the end, McDonald’s neither rejected the report nor accepted the breach.
Reasons to worry
In India, there is a relative silence when it comes to public acceptance of cyber breaches by individual companies though there is relentless ambient noise about everything from the big Indian debit card hack to the breach at Yahoo. Don’t be fooled by the silence. This is a country that ranked fourth among countries most targeted for Web application attacks, in a report by content delivery network services provider Akamai Technologies. Juxtapose this with the fact that India has been adding millions of Internet users every year, who have been more than nudged into the world of digital money in recent months, and you know why Indians have reasons to worry.
That isn’t all. Fallible in an earlier post had called the security of Indian payments infrastructure “a joke”. It said: “Vulnerabilities in major payment gateways and wallets include multiple ways of data leak, monetary loss, private keys leak and more.” This isn’t different from many other risk assessments.
It does seem some corporates are taking note. In its ‘Path to Cyber Resilience’ report earlier this year, a result of a survey of 124 Indian companies, consultancy firm EY noted that three-fourths of “board members and C-level executives have said they lack confidence in their organisation’s level of cybersecurity.” But then, the report also noted how cybersecurity hardly gets top management attention in India, as it is viewed merely as an “IT issue”.
Making breaches public should be mandatory and is the wake-up call companies need. It would then become a customer-facing issue, and the management will be all ears. The more proactive ones will also realise that good cybersecurity can be good marketing.
