data security in customer experience: are cx teams cyber ... · the data security threat is complex...
TRANSCRIPT
Data security in customer experience Are CX teams cyber-aware
CX Network Market Report
CXNetworkcom
CXNetworkcom 1
Contents About the author
Contributors
2
15
7
18
4
17
13
19
Introduction
5 GDPR myths busted
Kevin Goldman Chief Design Officer Trusona
Max Aulakh CISO Ignyte Assurance Platform
Jonathan Gossels CEO SystemExperts Corporation
Dan Hedley Partner IT amp Commercial Irwin Mitchell
Ted Bardusch CISO Usermind
Serguei Beloussov CEO Acronis
Litha Ramirez Director of Experience Strategy amp Design SPR
The role of data security in customer experience
Customer experience going forward
Are CX teams cyber aware
Conclusion
The impact of new data regulations
Join CX Network
Adam Muspratt is a Content Editor for CX Network where he produces a range of content from in depth research reports to hard-hitting interviews with CX leaders For any questions about this report or the opportunity to collaborate on future CX Network content you can contact CX Networkrsquos Editor on chanicecxnetworkcom
CXNetworkcom 2
The data security threat is complex and constantly changing Going into 2019 and beyond data security will continue to be a major source of investment across all industries and sectors The many high profile data breaches throughout 2017-18 ndash and the customer backlash that followed ndash have served as a constant reminder that cyber security is something that customer experience (CX) teams must take into consideration
CX technology goes beyond customer relationship management software (CRM) Increased connectivity and the Internet of Things (IoT) have helped CX teams improve the customer journey with technologies such as automation data analytics chatbots omni-channel and artificial intelligence (AI)
However as organisations continue to gather more data on customers and unprotected IoT devices are increasingly incorporated into processes the risk of a cyber breach has become more severe The damage caused by a successful cyber attack can be so severe it becomes unquantifiable with everything at risk from customer data to intellectual property and from revenue to brand reputation
Successful cyber attacks have plunged organisations of all shapes and sizes into chaos from private companies to governments Common threats come in the form of mobile malware spear phishing denial of service attacks botnets ransomware and advanced persistent threats (APT) Meanwhile as technology evolves ndash and the sophistication of attacks along with it ndash we will likely see technologies such as AI and machine learning being applied by malicious actors for more persistent and intelligent attacks
Introduction
The damage caused by a successful cyber attack can be so severe
it becomes unquantifiable with everything at risk from customer
data to intellectual property and from revenue to brand reputation
ldquo ldquo
CXNetworkcom 3
In the event of a successful cyber breach CX leaders will have to manage customer expectations in an attempt to secure brand reputation and consumer trust As such it is not just about defending against cyber attacks CX teams should aim to be pro-active not reactive Yet some organisations and CX teams push back against data security protocols on the pretence of cyber processes adversely affecting ease of use and customer service Conversely CX teams aiming to increase cyber security seek to offer easy authentication and data protection while keeping the negative impact on CX minimal Airtight digital security needs to be considered an enabler of customer experience and not viewed as a hindrance to a companyrsquos bottom line and creativity Due to the increasing frequency of successful cyber attacks ndash coupled with an increase in the sophistication and scope of attacks ndash the need to adhere to cyber security protocol is more crucial than ever
About the research In our recent study we explored what precautions CX practitioners are taking in data security Here are some burning questions we wanted to find answers to
We surveyed our global membership of CX leaders to take an accurate snapshot of the current climate Within this report we highlight some of our key findings alongside analysis from experts within the field
Airtight digital security needs to be considered an enabler of customer
experience and not viewed as a hindrance to a companyrsquos bottom
line and creativity
ldquo ldquobull Is cyber security something that CX teams are
looking to as a prioritybull Do CX teams feel they are equipped to deal
with todayrsquos threats bull Are CX teams aligning their goals with digital
security teams
bull Are CX teams incorporating cyber security in CX strategy
bull How closely are CX and IT teams working together on cyber security
CXNetworkcom 4
The role of data security in customer experienceHow important is data security as part of your
wider customer experience agenda
54 39 8 0 0
Very Important UnimportantSomewhat Important
Somewhat Unimportant
Neither Important or Unimportant
The more data an organisation has about its customers the more opportunities it has to offer a personalised experience However at the same time the more data an organisation has the likelihood of it being used maliciously increases
Every employee working with customer data needs to consider their treatment of data very carefully The survey results show that the majority of respondents understand that secure data is a chief expectation among customers with over 54 per cent stating that it is ldquovery importantrdquo
Every employee working with customer data needs to consider their treatment of data very carefully
Does this mean that the traditionally frustrating aspects of digital security such as user authentication will undergo major upheaval And will new customer experience-centric security controls place a bigger strain on budgets
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
Every brand in the world is losing revenue due to the universal pain point of passwords This can lead to consumer frustration cart abandonment password resets and ultimately customer churn Gartner has called customer experience rsquothe only durable competitive advantagersquo making security and authentication an increasingly urgent priority for CX teams In this way passwords should be a shared priority for security and CX teams alike
ldquo
ldquo
CXNetworkcom 5
Does your CX department have budget allocated for data security
Companies must continue to provide transparent information to data subjects Data breaches and fraud are top concerns amongst business leaders as a threat to customer loyalty and the company brand Forward-thinking organisations will view data security as a means towards improved customer experience
The results from our survey suggest that there is room for improvement in this area As you can see each answer received a similar response rate ldquoYesrdquo came out on top with 39 per cent meanwhile ldquoI donrsquot knowrdquo received a fractionally lower score of 31 per cent
As supply chains become more interconnected and transactions increasingly shift to the online world CX teams will likely spend more on cyber security going into the future Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented
responsibilities or more CX teams will start outsourcing cyber security
Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented responsibilities or more CX teams outsourcing cyber security
Because in a world where cyber security is constantly changing and becoming more complex it may be more resource effective for CX teams to outsource their cyber security functions to organisations that are experienced in threat detection to bridge the ever-widening skill gap
38
75
31
25
31Yes
IT Teams Data Management Teams
No
Donrsquot know
Who takes responsibility for data governance
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 1
Contents About the author
Contributors
2
15
7
18
4
17
13
19
Introduction
5 GDPR myths busted
Kevin Goldman Chief Design Officer Trusona
Max Aulakh CISO Ignyte Assurance Platform
Jonathan Gossels CEO SystemExperts Corporation
Dan Hedley Partner IT amp Commercial Irwin Mitchell
Ted Bardusch CISO Usermind
Serguei Beloussov CEO Acronis
Litha Ramirez Director of Experience Strategy amp Design SPR
The role of data security in customer experience
Customer experience going forward
Are CX teams cyber aware
Conclusion
The impact of new data regulations
Join CX Network
Adam Muspratt is a Content Editor for CX Network where he produces a range of content from in depth research reports to hard-hitting interviews with CX leaders For any questions about this report or the opportunity to collaborate on future CX Network content you can contact CX Networkrsquos Editor on chanicecxnetworkcom
CXNetworkcom 2
The data security threat is complex and constantly changing Going into 2019 and beyond data security will continue to be a major source of investment across all industries and sectors The many high profile data breaches throughout 2017-18 ndash and the customer backlash that followed ndash have served as a constant reminder that cyber security is something that customer experience (CX) teams must take into consideration
CX technology goes beyond customer relationship management software (CRM) Increased connectivity and the Internet of Things (IoT) have helped CX teams improve the customer journey with technologies such as automation data analytics chatbots omni-channel and artificial intelligence (AI)
However as organisations continue to gather more data on customers and unprotected IoT devices are increasingly incorporated into processes the risk of a cyber breach has become more severe The damage caused by a successful cyber attack can be so severe it becomes unquantifiable with everything at risk from customer data to intellectual property and from revenue to brand reputation
Successful cyber attacks have plunged organisations of all shapes and sizes into chaos from private companies to governments Common threats come in the form of mobile malware spear phishing denial of service attacks botnets ransomware and advanced persistent threats (APT) Meanwhile as technology evolves ndash and the sophistication of attacks along with it ndash we will likely see technologies such as AI and machine learning being applied by malicious actors for more persistent and intelligent attacks
Introduction
The damage caused by a successful cyber attack can be so severe
it becomes unquantifiable with everything at risk from customer
data to intellectual property and from revenue to brand reputation
ldquo ldquo
CXNetworkcom 3
In the event of a successful cyber breach CX leaders will have to manage customer expectations in an attempt to secure brand reputation and consumer trust As such it is not just about defending against cyber attacks CX teams should aim to be pro-active not reactive Yet some organisations and CX teams push back against data security protocols on the pretence of cyber processes adversely affecting ease of use and customer service Conversely CX teams aiming to increase cyber security seek to offer easy authentication and data protection while keeping the negative impact on CX minimal Airtight digital security needs to be considered an enabler of customer experience and not viewed as a hindrance to a companyrsquos bottom line and creativity Due to the increasing frequency of successful cyber attacks ndash coupled with an increase in the sophistication and scope of attacks ndash the need to adhere to cyber security protocol is more crucial than ever
About the research In our recent study we explored what precautions CX practitioners are taking in data security Here are some burning questions we wanted to find answers to
We surveyed our global membership of CX leaders to take an accurate snapshot of the current climate Within this report we highlight some of our key findings alongside analysis from experts within the field
Airtight digital security needs to be considered an enabler of customer
experience and not viewed as a hindrance to a companyrsquos bottom
line and creativity
ldquo ldquobull Is cyber security something that CX teams are
looking to as a prioritybull Do CX teams feel they are equipped to deal
with todayrsquos threats bull Are CX teams aligning their goals with digital
security teams
bull Are CX teams incorporating cyber security in CX strategy
bull How closely are CX and IT teams working together on cyber security
CXNetworkcom 4
The role of data security in customer experienceHow important is data security as part of your
wider customer experience agenda
54 39 8 0 0
Very Important UnimportantSomewhat Important
Somewhat Unimportant
Neither Important or Unimportant
The more data an organisation has about its customers the more opportunities it has to offer a personalised experience However at the same time the more data an organisation has the likelihood of it being used maliciously increases
Every employee working with customer data needs to consider their treatment of data very carefully The survey results show that the majority of respondents understand that secure data is a chief expectation among customers with over 54 per cent stating that it is ldquovery importantrdquo
Every employee working with customer data needs to consider their treatment of data very carefully
Does this mean that the traditionally frustrating aspects of digital security such as user authentication will undergo major upheaval And will new customer experience-centric security controls place a bigger strain on budgets
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
Every brand in the world is losing revenue due to the universal pain point of passwords This can lead to consumer frustration cart abandonment password resets and ultimately customer churn Gartner has called customer experience rsquothe only durable competitive advantagersquo making security and authentication an increasingly urgent priority for CX teams In this way passwords should be a shared priority for security and CX teams alike
ldquo
ldquo
CXNetworkcom 5
Does your CX department have budget allocated for data security
Companies must continue to provide transparent information to data subjects Data breaches and fraud are top concerns amongst business leaders as a threat to customer loyalty and the company brand Forward-thinking organisations will view data security as a means towards improved customer experience
The results from our survey suggest that there is room for improvement in this area As you can see each answer received a similar response rate ldquoYesrdquo came out on top with 39 per cent meanwhile ldquoI donrsquot knowrdquo received a fractionally lower score of 31 per cent
As supply chains become more interconnected and transactions increasingly shift to the online world CX teams will likely spend more on cyber security going into the future Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented
responsibilities or more CX teams will start outsourcing cyber security
Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented responsibilities or more CX teams outsourcing cyber security
Because in a world where cyber security is constantly changing and becoming more complex it may be more resource effective for CX teams to outsource their cyber security functions to organisations that are experienced in threat detection to bridge the ever-widening skill gap
38
75
31
25
31Yes
IT Teams Data Management Teams
No
Donrsquot know
Who takes responsibility for data governance
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 2
The data security threat is complex and constantly changing Going into 2019 and beyond data security will continue to be a major source of investment across all industries and sectors The many high profile data breaches throughout 2017-18 ndash and the customer backlash that followed ndash have served as a constant reminder that cyber security is something that customer experience (CX) teams must take into consideration
CX technology goes beyond customer relationship management software (CRM) Increased connectivity and the Internet of Things (IoT) have helped CX teams improve the customer journey with technologies such as automation data analytics chatbots omni-channel and artificial intelligence (AI)
However as organisations continue to gather more data on customers and unprotected IoT devices are increasingly incorporated into processes the risk of a cyber breach has become more severe The damage caused by a successful cyber attack can be so severe it becomes unquantifiable with everything at risk from customer data to intellectual property and from revenue to brand reputation
Successful cyber attacks have plunged organisations of all shapes and sizes into chaos from private companies to governments Common threats come in the form of mobile malware spear phishing denial of service attacks botnets ransomware and advanced persistent threats (APT) Meanwhile as technology evolves ndash and the sophistication of attacks along with it ndash we will likely see technologies such as AI and machine learning being applied by malicious actors for more persistent and intelligent attacks
Introduction
The damage caused by a successful cyber attack can be so severe
it becomes unquantifiable with everything at risk from customer
data to intellectual property and from revenue to brand reputation
ldquo ldquo
CXNetworkcom 3
In the event of a successful cyber breach CX leaders will have to manage customer expectations in an attempt to secure brand reputation and consumer trust As such it is not just about defending against cyber attacks CX teams should aim to be pro-active not reactive Yet some organisations and CX teams push back against data security protocols on the pretence of cyber processes adversely affecting ease of use and customer service Conversely CX teams aiming to increase cyber security seek to offer easy authentication and data protection while keeping the negative impact on CX minimal Airtight digital security needs to be considered an enabler of customer experience and not viewed as a hindrance to a companyrsquos bottom line and creativity Due to the increasing frequency of successful cyber attacks ndash coupled with an increase in the sophistication and scope of attacks ndash the need to adhere to cyber security protocol is more crucial than ever
About the research In our recent study we explored what precautions CX practitioners are taking in data security Here are some burning questions we wanted to find answers to
We surveyed our global membership of CX leaders to take an accurate snapshot of the current climate Within this report we highlight some of our key findings alongside analysis from experts within the field
Airtight digital security needs to be considered an enabler of customer
experience and not viewed as a hindrance to a companyrsquos bottom
line and creativity
ldquo ldquobull Is cyber security something that CX teams are
looking to as a prioritybull Do CX teams feel they are equipped to deal
with todayrsquos threats bull Are CX teams aligning their goals with digital
security teams
bull Are CX teams incorporating cyber security in CX strategy
bull How closely are CX and IT teams working together on cyber security
CXNetworkcom 4
The role of data security in customer experienceHow important is data security as part of your
wider customer experience agenda
54 39 8 0 0
Very Important UnimportantSomewhat Important
Somewhat Unimportant
Neither Important or Unimportant
The more data an organisation has about its customers the more opportunities it has to offer a personalised experience However at the same time the more data an organisation has the likelihood of it being used maliciously increases
Every employee working with customer data needs to consider their treatment of data very carefully The survey results show that the majority of respondents understand that secure data is a chief expectation among customers with over 54 per cent stating that it is ldquovery importantrdquo
Every employee working with customer data needs to consider their treatment of data very carefully
Does this mean that the traditionally frustrating aspects of digital security such as user authentication will undergo major upheaval And will new customer experience-centric security controls place a bigger strain on budgets
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
Every brand in the world is losing revenue due to the universal pain point of passwords This can lead to consumer frustration cart abandonment password resets and ultimately customer churn Gartner has called customer experience rsquothe only durable competitive advantagersquo making security and authentication an increasingly urgent priority for CX teams In this way passwords should be a shared priority for security and CX teams alike
ldquo
ldquo
CXNetworkcom 5
Does your CX department have budget allocated for data security
Companies must continue to provide transparent information to data subjects Data breaches and fraud are top concerns amongst business leaders as a threat to customer loyalty and the company brand Forward-thinking organisations will view data security as a means towards improved customer experience
The results from our survey suggest that there is room for improvement in this area As you can see each answer received a similar response rate ldquoYesrdquo came out on top with 39 per cent meanwhile ldquoI donrsquot knowrdquo received a fractionally lower score of 31 per cent
As supply chains become more interconnected and transactions increasingly shift to the online world CX teams will likely spend more on cyber security going into the future Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented
responsibilities or more CX teams will start outsourcing cyber security
Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented responsibilities or more CX teams outsourcing cyber security
Because in a world where cyber security is constantly changing and becoming more complex it may be more resource effective for CX teams to outsource their cyber security functions to organisations that are experienced in threat detection to bridge the ever-widening skill gap
38
75
31
25
31Yes
IT Teams Data Management Teams
No
Donrsquot know
Who takes responsibility for data governance
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 3
In the event of a successful cyber breach CX leaders will have to manage customer expectations in an attempt to secure brand reputation and consumer trust As such it is not just about defending against cyber attacks CX teams should aim to be pro-active not reactive Yet some organisations and CX teams push back against data security protocols on the pretence of cyber processes adversely affecting ease of use and customer service Conversely CX teams aiming to increase cyber security seek to offer easy authentication and data protection while keeping the negative impact on CX minimal Airtight digital security needs to be considered an enabler of customer experience and not viewed as a hindrance to a companyrsquos bottom line and creativity Due to the increasing frequency of successful cyber attacks ndash coupled with an increase in the sophistication and scope of attacks ndash the need to adhere to cyber security protocol is more crucial than ever
About the research In our recent study we explored what precautions CX practitioners are taking in data security Here are some burning questions we wanted to find answers to
We surveyed our global membership of CX leaders to take an accurate snapshot of the current climate Within this report we highlight some of our key findings alongside analysis from experts within the field
Airtight digital security needs to be considered an enabler of customer
experience and not viewed as a hindrance to a companyrsquos bottom
line and creativity
ldquo ldquobull Is cyber security something that CX teams are
looking to as a prioritybull Do CX teams feel they are equipped to deal
with todayrsquos threats bull Are CX teams aligning their goals with digital
security teams
bull Are CX teams incorporating cyber security in CX strategy
bull How closely are CX and IT teams working together on cyber security
CXNetworkcom 4
The role of data security in customer experienceHow important is data security as part of your
wider customer experience agenda
54 39 8 0 0
Very Important UnimportantSomewhat Important
Somewhat Unimportant
Neither Important or Unimportant
The more data an organisation has about its customers the more opportunities it has to offer a personalised experience However at the same time the more data an organisation has the likelihood of it being used maliciously increases
Every employee working with customer data needs to consider their treatment of data very carefully The survey results show that the majority of respondents understand that secure data is a chief expectation among customers with over 54 per cent stating that it is ldquovery importantrdquo
Every employee working with customer data needs to consider their treatment of data very carefully
Does this mean that the traditionally frustrating aspects of digital security such as user authentication will undergo major upheaval And will new customer experience-centric security controls place a bigger strain on budgets
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
Every brand in the world is losing revenue due to the universal pain point of passwords This can lead to consumer frustration cart abandonment password resets and ultimately customer churn Gartner has called customer experience rsquothe only durable competitive advantagersquo making security and authentication an increasingly urgent priority for CX teams In this way passwords should be a shared priority for security and CX teams alike
ldquo
ldquo
CXNetworkcom 5
Does your CX department have budget allocated for data security
Companies must continue to provide transparent information to data subjects Data breaches and fraud are top concerns amongst business leaders as a threat to customer loyalty and the company brand Forward-thinking organisations will view data security as a means towards improved customer experience
The results from our survey suggest that there is room for improvement in this area As you can see each answer received a similar response rate ldquoYesrdquo came out on top with 39 per cent meanwhile ldquoI donrsquot knowrdquo received a fractionally lower score of 31 per cent
As supply chains become more interconnected and transactions increasingly shift to the online world CX teams will likely spend more on cyber security going into the future Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented
responsibilities or more CX teams will start outsourcing cyber security
Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented responsibilities or more CX teams outsourcing cyber security
Because in a world where cyber security is constantly changing and becoming more complex it may be more resource effective for CX teams to outsource their cyber security functions to organisations that are experienced in threat detection to bridge the ever-widening skill gap
38
75
31
25
31Yes
IT Teams Data Management Teams
No
Donrsquot know
Who takes responsibility for data governance
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 4
The role of data security in customer experienceHow important is data security as part of your
wider customer experience agenda
54 39 8 0 0
Very Important UnimportantSomewhat Important
Somewhat Unimportant
Neither Important or Unimportant
The more data an organisation has about its customers the more opportunities it has to offer a personalised experience However at the same time the more data an organisation has the likelihood of it being used maliciously increases
Every employee working with customer data needs to consider their treatment of data very carefully The survey results show that the majority of respondents understand that secure data is a chief expectation among customers with over 54 per cent stating that it is ldquovery importantrdquo
Every employee working with customer data needs to consider their treatment of data very carefully
Does this mean that the traditionally frustrating aspects of digital security such as user authentication will undergo major upheaval And will new customer experience-centric security controls place a bigger strain on budgets
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
Every brand in the world is losing revenue due to the universal pain point of passwords This can lead to consumer frustration cart abandonment password resets and ultimately customer churn Gartner has called customer experience rsquothe only durable competitive advantagersquo making security and authentication an increasingly urgent priority for CX teams In this way passwords should be a shared priority for security and CX teams alike
ldquo
ldquo
CXNetworkcom 5
Does your CX department have budget allocated for data security
Companies must continue to provide transparent information to data subjects Data breaches and fraud are top concerns amongst business leaders as a threat to customer loyalty and the company brand Forward-thinking organisations will view data security as a means towards improved customer experience
The results from our survey suggest that there is room for improvement in this area As you can see each answer received a similar response rate ldquoYesrdquo came out on top with 39 per cent meanwhile ldquoI donrsquot knowrdquo received a fractionally lower score of 31 per cent
As supply chains become more interconnected and transactions increasingly shift to the online world CX teams will likely spend more on cyber security going into the future Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented
responsibilities or more CX teams will start outsourcing cyber security
Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented responsibilities or more CX teams outsourcing cyber security
Because in a world where cyber security is constantly changing and becoming more complex it may be more resource effective for CX teams to outsource their cyber security functions to organisations that are experienced in threat detection to bridge the ever-widening skill gap
38
75
31
25
31Yes
IT Teams Data Management Teams
No
Donrsquot know
Who takes responsibility for data governance
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 5
Does your CX department have budget allocated for data security
Companies must continue to provide transparent information to data subjects Data breaches and fraud are top concerns amongst business leaders as a threat to customer loyalty and the company brand Forward-thinking organisations will view data security as a means towards improved customer experience
The results from our survey suggest that there is room for improvement in this area As you can see each answer received a similar response rate ldquoYesrdquo came out on top with 39 per cent meanwhile ldquoI donrsquot knowrdquo received a fractionally lower score of 31 per cent
As supply chains become more interconnected and transactions increasingly shift to the online world CX teams will likely spend more on cyber security going into the future Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented
responsibilities or more CX teams will start outsourcing cyber security
Future strategies may involve more Chief Information Security Officers (CISOs) taking up CX oriented responsibilities or more CX teams outsourcing cyber security
Because in a world where cyber security is constantly changing and becoming more complex it may be more resource effective for CX teams to outsource their cyber security functions to organisations that are experienced in threat detection to bridge the ever-widening skill gap
38
75
31
25
31Yes
IT Teams Data Management Teams
No
Donrsquot know
Who takes responsibility for data governance
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 6
How can robust data security improve customer experience
Robust data security procedures are one of the foremost methods of mitigating cyber risk According to our respondents protecting customer data (62 per cent) and ensuring compliance (54 per cent) were the biggest advantages With the recent introduction of the General Data Protection Regulation (GDPR) ensuring compliance remains a top priority amongst CX teams
Kevin Goldman Chief Design Officer at identity theft protection company Trusona
CX has a long way to go in aligning the goals of CX and digital security teams a goal which is becoming more difficult to achieve as CX teams become more siloed
CX teams lack organisational overlap with the IT department Unless there is a design or CX leader on the executive team this tends to be the norm This makes it hard to track social engineering which is one of the biggest challenges in cyber security Social engineering is the process of manipulating individuals for fraud and in order to maintain a high level of security we must solve social engineering Technology can help solve this problem but the education of employees and consumers is required ndash both of which are notoriously hard to do with siloed teamsThe exception are companies such as Amazon eClinical Works and Slack Many of them are exploring password-less authentication because they know that 30 to 40 per cent of call centre volume is due to password resets And in the case of a stalled login people will abandon a shopping cart or end an engagement ndash leading to increased customer churn
ldquo
ldquoWhat are the most siginificant advantages a robust data security
strategy can have on customer experience (choose up to 3)
5446
31
62
39
Ensure compliance
Gain consumer
trust
Prevent fraud
Protect customer data
Win customer loyalty amp retention
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 7
Are CX teams cyber awareWhat is the biggest threat a lack of cyber security could present to your organisation (choose up to 3)
Customer loyalty is built on trust The ramifications of losing customer data are immeasurable and CX teams that are lax with data security put their organisationrsquos reputation on the line as well as the trust of their customers
Cyber security is no longer something that just IT teams need to worry about It has broader business ramifications such as widespread customer dissatisfaction which leads to customer churn and ultimately revenue loss
In our survey we asked what the biggest threat is that a successful cyber attack could present to an organisation Some of the biggest concerns among CX professionals are the loss of customer trust (54 per cent) and a diminished brand reputation (46 per cent) The risk of a
data breach is also ranked as a major threat (54 per cent)
These results are unsurprising considering the high profile data breaches that have occurred in the previous years Whether it was the Equifax breach1 or the three billion Yahoo2 user accounts that were compromised the prevailing sense among organisations is that sophisticated cyber attacks are amongst the biggest technology concerns today
Jonathan Gossels CEO at IT security and compliance company SystemExperts Corporation
There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure
What are the major brands doing to ensure that they are operationally cyber secure
What level of transparencyimpact are they willing to impose on their customers1 2 ldquoldquo
5431
5446
39
Lack of consumer trustData breach Loss of brand
reputation
FraudRegulatory risk
1In 2017 a data breach in Equifax exposed the sensitive personal information of 145 million American consumers up to 44 million British residents as well as 8000 Canadian residents Information observed by hackers included credit card numbers addresses and drivers licenses Read more here2In 2017 Yahoo announced that a huge data breach in 2013 had affected every user on its service ndash around 3 billion The hack exposed user information such as email addresses phone numbers and passwords Read more here
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 8
Are CX teams over confident in cyber security
Over half (52 per cent) of respondents are confident in their cyber defence capabilities with 17 per cent stating that they are very confident However is this over confidence Many organisations are still failing at the cyber security basics All it takes is a single negligent employee to open a spear phishing email or click on a malicious link and this can negate expensive cyber security procedures that have been put in place
A 2017 cyber security survey concluded that the biggest cyber security risk is worker complacency3 The weak cyber security culture amongst employees is often overlooked by executive decision makers ndash and this can present blindness in an organisationrsquos ability to protect critical data
18 53 6 12 12Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
How confident are you in your organisationrsquos information security
3httpswwwftcomcontente75d9c96-eec9-11e6-ba01-119a44939bb6
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 9
Do technical and non-technical employees take part in regular cyber security training
Cyber security experts often state that employees are both the strongest and weakest link in cyber defence So it is important that both technical and non-technical employees understand this risk and have the knowledge to mitigate cyber threats
The results from our survey show that the majority of CX practitioners believe that their organisation takes a responsible approach towards training ensuring that all employees receive regular information security training Further confidence can be drawn from the 23 per cent of respondents who state that both teams receive training but it isnrsquot regular enough so theyrsquore aware this should be a bigger focus area for the company in the future
A responsible organisation should be able to ensure that all departments have the foundational knowledge to mitigate common cyber security threats A high number of organisations adopt a pre-existing risk framework While useful this often does not take into account the specific risks faced by an individual organisation
Do both technical and non-technical employees take part in routine awarenesstraining sessions on information security related issues
Max Aulakh CISO at transformative risk management company Ignyte Assurance Platform
Every brand in the world is losing revenue due to the universal pain point The number one issue has always been the human element of cyber security Today we have enough knowledge to know what type of attacks are the most common and how they function but the common threat between common cyber attacks is human error CX team members should be aware of how common attacks ndash such as phishing social engineering tactics click baits DDoS and malware ndash work
We are missing the most basic awareness among our user community Most companies communicate that they would never ask consumers for their passwords and other log-in credentials and offer security guidelines but is there more that CX teams can do
A good CX team will manage brand perception during downtime on social media a better one would contribute to cyber defence by communicating the benefits of digital security to customers
ldquo
ldquo54
230 15 7
Yes wersquore very good at
that
Yes but itrsquos not routine or
regular
Only technical teams
No but we have a plan to improve
efforts
No very rarely if ever
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 10
Does your organisation have the ability to mitigate threats in real-time
The ability to mitigate threats in real-time is one of the core pillars of digital defence Confidence can be drawn from the 46 per cent of respondents who state their organisation has the ability to mitigate threats in real-time In addition 20 per cent of respondents believe that their ability to mitigate threats in real-time is dependent on the threat While none of our respondents answered that their organisation doesnrsquot have the ability to respond to threats in real-time a high proportion said they didnrsquot know either way (18 per cent) Is this indicative of the siloed nature of CX teams
New threats are always emerging and keeping track isnrsquot easy Organisations need to be able to trust that the individuals using their service are the people they claim to be The ability to identify a legitimate or illegitimate customer ndash by assessing user locations known behaviours and device profiles ndash while not intruding on the customer experience is key to brand value
18
6
30
47
0
I donrsquot know
We have a tiered security format and the protocol would involve
multiple formats
No
YesIt depends
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 11
Do you have documented IT security procedures in place that are routinely followed and tested
Over three quarters (76 per cent) of our respondents told us that they do have IT policy procedures that are routine This figure demonstrates a responsible attitude towards cultivating a strong cyber security culture given the fact that the overwhelming majority of respondents believe they have routinely tested cyber policies in place
Ted Bardusch CISO at customer engagement hub Usermind
Given the increasing likeliness of cyber breaches cyber defence is no longer the sole domain of CISOs in consideration of the ramifications that a breach can have on customer relationship and corporate reputation Transparent communication is vital before during and following a security incident Businesses process more customer data than ever before and often this data is siloed in different departments and systems What does this mean from a security standpoint Under GDPR companies must now identify a breach in real-time discover who has been impacted and notify vulnerable individuals in three short days according to the 72-hour customer breach notification rule However without a unified customer record this becomes near impossible CX leads must be involved in security planning and preparedness efforts According to KPMG4 one in five customers will sever a relationship with a retailer after a cyber attack while one in three customers would take a long-term break To guarantee customer retention CX teams need to consider a security breach as a likely stop along the customer journey An incorrect email address or a missing point of contact could be the difference between ruining a customer relationship forever and rebuilding customer trust and driving retention following a breach
ldquo
ldquoWhen it comes to information security in your organisation do you have documented security procedures that are routinely followed and tested
77
8 8 0 8
Yes
No We have policies but theyrsquore not always
strictly tested or followed
We have procedures that we follow
but they are not always lsquoformalisedrsquo
documents
Donrsquot knowcanrsquot answer
4httpshomekpmgcomusenhomemediapress-releases201608cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-studyhtml
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 12
Serguei Beloussov CEO of global technology company Acronis
Products and services need to be digitally secure before organisations can consider offering excellent customer service This can be difficult with legacy systems While some customers are aware of security issues and expect multiple authentications and checks others are unaware of the dangers and may simply want easy access Innovative CX teams will want to cover both groups and make all users equally secure with different types of authentication ensuring that all users receive the customer experience they are expectingMost user authentication processes are robust enough but require users to remember multiple passwords Single sign-on and facial recognition are a good alternative but require additional infrastructures such as enterprise directories and biometric validation systems While security controls reduce risks they sometimes put an additional burden on customersThe key lies in profiling the users and while setting up the product incorporating personalisation into the authentication process
ldquo
ldquoWhat are the main challenges that hinder a bigger
focus on data security within your CX strategy
54 2323 23 15
46 4623
Regional differences
Dated infrastructurelegacy systems Lack of
skilled staffBudget
Lack of understanding
C-Levelsenior management buy-in
Multiple department
input
Complicated regulationscompliance
Our research reveals that there are a few different challenges ndash of equal size ndash that CX teams face in trying to incorporate data security within their CX strategy The three biggest challenges faced by CX leaders today when it comes to their information security strategy are dated infrastructure (53 per cent) budget (45 per cent) and lack of understanding (46 per cent)
It is quite surprising to see lack of understanding make the top three when compared against other results throughout this survey This may point towards a lack of thoroughness in cyber security training regimes Conversely respondents may also feel that upper management is blaseacute in their attitude towards cyber security and lack clarity on strategy and responsibilities
As highlighted dated infrastructure and legacy systems came out on top Many organisations are bogged down by legacy systems that continue to play a key role in operations across a wide array of industries and sectors Given the nature of such systems it can be incredibly difficult to incorporate automatic cyber security protections without damaging the system in some way
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 13
The impact of new data regulations Do you feel confident that you understand the changes in
data regulations and how they will affect your organisation
23 39 23 15 0Very Confident Confident Very UnconfidentUnconfidentNeither Confident
or Unconfident
The idea behind the GDPR is simple data subjects are protected from companies selling their personal data they have to be informed at all times about their rights and how to object to the processing of their personal data
Having said that many organisations are still uncertain over the changes in data regulation and how it can affect them day-to-day We asked how confident our respondents felt about new data regulations As the results show respondents are mainly confident but nearly a quarter (23 per cent) stated that they are neither confident nor confident Meanwhile 15 per cent replied that they are not confident at all
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 14
When we asked our respondents how it will affect their own CX strategy the most frequent response was that marketing outreach strategies were redesigned to comply with GDPR A number of responses also stated that a rsquoprivacy by designlsquo philosophy was steadily being implemented highlighting the customer experience benefit of broadcasting the incorporation of stringent data privacy in all products and services
New cyber security procedures are constantly being created as a result of increased data regulation and governance We asked our community members if data regulations will affect their customer experience strategy A majority of 84 per cent stated that it would
Organisations across all industries and sectors had to change the way they interact with customers and handled their data when GDPR was introduced in May 2018 Recital 47 of GDPR states that ldquothe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestrdquo Increasing the personalisation of the customer experience can be regarded as a legitimate interest but CX teams will have to consider if the data is being used as intended
While some organisations view GDPR as a hindrance to the customer experience others will realise that it raises marketing standards ndash ensuring that consumers who share personal information will not be punished by ldquobadrdquo personalisation such as off base emails
100 per cent of respondents state that wider information security practices will improve as a result of new regulation
Furthermore customer data has become more difficult to obtain so brands will have to think of new strategies that convey trust This can come in the form of more transparent interaction regarding data security and an increasingly holistic approach to cyber security
100 per cent of respondents state that wider information security practices will improve as a result of new regulation This is indicative of the positive approach the CX teams are taking towards increased data regulation
Do you believe incoming data governance regulations (like GDPR) will affect your
customer experience strategy
85Yes
15Donrsquot know
0No
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 15
5 GDPR myths busted
With GDPR in place there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data
But what is true and what is sensationalist fiction
At GDPR Forum Dan Hedley Partner IT amp Commercial at Irwin Mitchell dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations having to adapt now
Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company In reality the huge pound20m fine mentioned in the news does not affect SMEs This is purely to warn lsquothe very big corporations that are doing very bad thingsrsquo
Consent is mostly related to direct marketing
Consent is one of the buzzwords thrown around alongside GDPR and while you need consent from customers for some elements under the new law there are a lot of lsquocommon sensersquo things where explicit consent isnrsquot needed These cover contractual necessity legal obligation protection of vital interests public interest necessity and legitimate interests
For example if you swap business cards at a conference itrsquos assumed you will contact each other and likewise if yoursquore fulfilling a contract for a client and you need to send them additional information itrsquos only logical yoursquore allowed to do so without having explicit consent Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing
1
2
Massive fines will bankrupt SMEs
You need consent for everything
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 16
There is no technology available that will make you GDPR compliant Data protection is a boardroom issue and while IT is involved so are operations HR sales and marketing Itrsquos about the people and processes first Though tech can of course help with particular issues such as data discovery record keeping and security
A DPO does not have to be an employee it can be an external consultant
This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses You must appoint a Data Protection Officer (DPO) only if yoursquore a public authority your core activities require regular and systematic monitoring of data subjects and your core activities consist of large scale processing of special categories of data
Furthermore a DPO does not have to be an employee it can be an external consultant too Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months
While this is not a straight-up myth this is only partly true Data breaches must indeed be reported to the Information Commissionerrsquos Office (ICO) by the controller unless lsquounlikely to result in a risk to the rights and freedoms of natural personsrsquo So if itrsquos encrypted retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses then yoursquore likely going to be okay
The 72 hour time frame is also somewhat flexible as the regulations state that obligation is lsquowithout undue delay and where feasible not later than 72 hours after having become aware of itrsquo
3
4
5
Data protection is an IT issue
You need a Data Protection Officer
All data breaches have to be reported within 72 hours
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 17
What can CX teams do going forward
Litha Ramirez Director of Experience Strategy at business consolation company SPR
With so much in the news about credit card breaches from retail sites or personal data gleaning for unintended purposes ndash think Facebook and Cambridge Analytics5 ndash now more than ever it is important to think about cybersecurity and user experience The ramifications of a successful data breach include loss of customers revenue market share and reputation All are hard to regain especially in a hyper-competitive global market With so many other companies vying for your customers the lack of strategy around the user experience of cybersecurity may result in your customers flocking over to your competitors Getting customers on your site and accomplishing goals requires not just ease-of-use but also trust especially when it comes to sites where personal and or financial data is being used and stored
If the user does not feel secure about providing personal and financial information yet that data is required the user will simply do their business somewhere else
The flip side of this is that making a site and the data secure cannot be so cumbersome that the user abandons the site There needs to be a balance between the two
Below are four tips that can help
Provide the user transparency about how their data will be stored shared and used Include a policy on how breaches will be treated
Use encryption cues like HTTPS and third party security verification to signal the sites security
Make sure information is written in an easy to understand language and takes no more than a couple of minutes to read Do not obscure it in pages of legalese
Provide the user with opportunities to opt into the saving and sharing of data
14
23
5httpswwwreuterscomarticleus-facebook-privacyfacebook-says-data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 18
Conclusion
Throughout this report the underlying trend has been that CX practitioners are confident in the cyber security capabilities of their organisations but there are a few significant areas of shortfall
bull CX teams need to take a more prominent role in cyber security decision making
bull CX and IT teams need to closely integrate goals
bull CX teams need a larger cyber security budget
bull Cyber security education needs to improve for both customers and employees
bull CX teams need to find new ways of improving frustrating digital security experiences such as authentication
While there is still a long way to go it is promising that the majority of CX teams are receiving regular cyber security training The high focus on this may be a direct result of the high quantity of cyber breaches over the last few years serving as a constant reminder of the dangers posed by weak cyber security procedures
Additionally in the next few years we will likely see objectives from CX teams and IT security become increasingly aligned from CISOs taking on more customer-oriented duties to CX teams exploring innovative alternative to traditional authentication
With new data regulations to adhere to and unprecedented cyber threats on the horizon ndash such as artificial intelligence enabled cyber attacks ndash confidence can be drawn from the results throughout this survey that point towards a sector that is taking cyber defence very seriously
The way CX teams think about cyber security has changed substantially over the last few years Companies would avoid talking about cyber security as they risked portraying online transactions as taking a risk This is not the case anymore Nowadays we are starting to see organisations of all sizes ndash from financial institutions to retailers ndash taking an active role in teaching users about safe online behaviour
Today organisations and digital security teams know how most attacks function and how they are prevented However the key similarity between the most common ndash and successful ndash forms of attack is the human error element While the technology is already in place to help prevent and mitigate cyber attacks the greatest impact to protecting data is the education of employees and customers
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported
CXNetworkcom 19
Join CX NetworkYour personal network of
27000PREMIUM MEMBERS
COMMUNITYREACH
174000SOCIAL MEDIA
REACH
13000BY RESPECTEDCX MEMBERS
Supported