The Data Sharing Days 2020, Europe’s premier data sharing event that took place from 27-28 January 2020 in The Hague, The Netherlands revolved around the theme of ‘Data sovereignty’. We spoke with Jelger Groenland, digital trust & security lead at INNOPAY, who advises clients on challenges and opportunities arising from the digital transformation. We talked to him about the importance of trust in today’s digital transactions era and the role of cybersecurity.
How does digital trust relate to data sovereignty, the theme of the Data Sharing Days that INNOPAY co-hosted?
Data sovereignty and digital trust are very closely linked. The concept of data sovereignty – an individual’s full right and control over their own data – is becoming a prerequisite to build trust with customers in the digital economy. Consumers need to have full control over their personal data in order to trust a business. We’re increasingly seeing companies providing more transparency about their privacy policies and what it means for their customer. They are also giving customers the tools to manage their own data. We expect this will increasingly become the norm. It can also create a competitive advantage because consumers are ever-more aware of their privacy and concerned about how their data is being used.
What recent challenges and dangers have been illustrated frequently in the aspect of cybersecurity?
Financial crime and fraud are attracting growing attention in the context of digital transactions. Attacks frequently happen through e-mail phishing and so-called ‘smishing’ (phishing via text message). In such cases, consumers are tricked into giving away their credentials to criminals because they believe they are interacting with a trusted party, often their bank. This is one reason behind the decline in digital trust, and as an industry we need to reverse this trend if we are to tap into the full potential of the transactional internet. Although I don’t believe this problem can be solved overnight, moving to a more sophisticated trust infrastructure for digital transactions – a data-sharing scheme that provides seamless authentication without passwords, and in which the data owner retains control of their data at all times – could drastically reduce such risks.
Another challenge is the fragmentation of the digital transaction value chain. In the banking industry, for example, the PSD2 regulation and open banking have resulted in many – often new – players taking ownership of part of the customer journey for payments and related services. For customers, this means new brands and apps are requesting their financial and personal data. As a consumer, how do you differentiate between a trusted app and a malicious one? It’s becoming increasingly difficult. To tackle this, we need mechanisms that allow businesses and consumers to interact on an infrastructure of trust. There is a similar shift towards openness in other industries too, which is making it even more important to have a cross-industry trust infrastructure in place.
What models or operational mechanisms would INNOPAY advise to their clients to utilize in case of a cyber attack or data leak? For instance, do standard procedures and protocols exist for such matters that have demonstrated concrete effectiveness?
A quick and adequate response to an identified data breach has a direct impact on the costs. Several studies in the insurance industry have identified this relationship. The same goes for the time it takes to actually uncover infiltration and malicious activities. Sometimes an attacker can have access for months before they are discovered. The sooner a compromise is detected, the better in terms of the costs and the damage.
So what should organisations do? Well, they obviously need a robust response capability. This is typically assigned to a Security Operating Centre (SOC) or response team, but it can be outsourced too. In addition to a technical response capability, organisations should assess and manage the system for issuing notifications to regulators and customers – either by handling it themselves or outsourcing it to experienced partners.
Managing the reputational damage and loss of trust is a bigger challenge. We always recommend organisations to think about this and include it in their digital trust strategy. Typically, this means providing transparency to everyone involved and being clear about what steps you are taking to put things right. Ideally, organisations should have a Chief Trust Officer to prepare and coordinate this response across departments.
In what areas does room for improvement or development exist on the security surface?
Everyone in the industry is aware of the growing cyber threat as criminals become more professional and the size of the enterprise’s potential attack surface increases. However, what still surprises me is the mainly operational-technical approach to cybersecurity. This has led to a situation where there are simply too many systems to protect, too many vulnerabilities to patch, too many tools to work with and too few specialists available. The conversation is often about tooling instead of more fundamental strategic questions about data sovereignty, data retention strategies and transforming the technology landscape to reduce risk for the enterprise.
Although data is regarded as ‘the new oil’, there is a large potential downside when data is compromised. Storing too much data without a clear business case has actually become a liability. This is more commonly acknowledged in the payment industry, where businesses typically try to limit their exposure to data as it obligates them to be PCI DSS compliant. In this industry parties prefer to avoid the burden and costs of compliance by outsourcing payment processes and only decide to do this themselves if absolutely necessary. So there is still much room for improvement in terms of a strategic approach to customer data.
What do you see as your biggest future challenge concerning security and privacy issues in the digital transactions business?
At INNOPAY, the biggest challenge we see is to unleash the true potential of the transactional internet – and that means breaking out of the trust paradox. This refers to two seemingly opposing needs: to make user data –- and in particular personal information – more accessible, while at the same time improving data security and hence securing users’ trust in further digitisation. Recent data scandals indicate just how fragile that trust is and how easy it is for privacy concerns to grow. It is possible to break out of the paradox by moving from institutional trust towards infrastructural trust. Ideally, users have possession and control over their own (identity) data and trust should be embedded in the internet itself.
How are trust and cooperation developed between companies? Through which models and operations is trust gained, considering this is a vision INNOPAY has as a sustainable solution for digital transactions? In that regard, it could be noted that the protection of privacy plays a pivotal role.
In the current landscape, online cooperation is based on one of two dominant models. The first is through bilateral transactions between two parties. Although this approach is flexible, the biggest problem is that it does not scale. The second model is through online platforms. This is an efficient way to scale many-to-many transactions, but it has several major drawbacks, the biggest one being that benefits and governance are centralized with the platform owner. This puts users of the platform at a disadvantage and poses a major risk to their business continuity. Another drawback is that this model promotes data siloes which hinder innovation in the long run. Therefore, INNOPAY proposes a third model, which we call ‘Trust Schemes’. This model is not only scalable, but is also based on a distributed model of control and collaboration. Trust Schemes are founded on agreements relating to a wide array of standards for the exchange of data and information. These address technical aspects, but also organisational, legal and operational perspectives of collaboration.