Trust

Last Updated: 2nd September, 2016 (RSS)
Analyst Coverage: , , ,

Trust can be defined as belief in the reliability and integrity of something or someone. Trust is essential for organisations and the commercial transactions they make. It underpins many aspects of the business. Every organisation must engage the Trust of its employees, customers, business partners, investors and other stakeholders, in order to be successful. There are many, overlapping, necessary conditions for Trust.

Security is necessary for Trust, but it is not sufficient.
In order to maintain a state of Trust in its business systems, as a basis, an organisation must be able to Trust that sensitive information is adequately protected. It must ensure that only those with the appropriate access rights are able to access data so that they cannot be compromised. People associated with the organisation must be able to Trust that their information and privacy are adequately protected. Organisations need to be able to determine who to Trust, and how to establish that Trust. They need to put in place and maintain security controls to ensure that that Trust is protected. That information must also be protected from external threats in the light of ever-more determined attacks using increasingly sophisticated tools and tactics to harm the integrity of networks and to extract information from them. Security is thus one cornerstone of Trust—but there are others.

Effective governance, and quality management are necessary, but not sufficient, for Trust
Similarly, effective governance, risk and compliance programmes are necessary, but not sufficient, for maintaining a state of Trust. Regulations, other mandates and governance frameworks continue to evolve and are becoming increasingly prescriptive. Regulatory requirements relating to the protection of data and privacy are becoming ever more stringent. Any organisation shown to be non-compliant faces loss of Trust among all its stakeholders, which can hurt business reputations and even lead to financial ruin.

The quality of automated systems also impacts Trust. You don't trust a system that isn't available when you need it, and which makes mistakes when processing your data, for example; and this loss of Trust extends to the parent organisation.

Corporate policies can contribute to Trust and will govern how data should be handled with respect to accuracy, timeliness, completeness and appropriateness, and what security controls should be applied, such as implementing privacy requirements for personally identifiable information. They also translate regulatory retention requirements into internal policy, but policies are only as good as their enforceability. People need to be trained regarding what is expected of them and processes and procedures need to be developed to manage and monitor them.

Effective data and information governance are necessary, but not sufficient, for Trust
Data and information governance are Trust issues (such as data governance and information governance). Organisations rely on data and information to drive effective decision-making. If there is doubt that the accuracy, reliability and integrity of that data is trustworthy, unacceptable levels of risk can be introduced. This includes all sorts of information, from individual documents to information stored in databases. Some regulations already point to the need for data accuracy and completeness and it is likely that more governments will start to mandate such controls. Documents are routinely used as vectors in advanced targeted attacks and documents and their contents must therefore be adequately controlled, in such a way as to engender Trust in information and to defend against security breaches.

Infrastructure resilience is necessary, but not sufficient, for Trust
Organisations need to create a trustworthy technology infrastructure environment so that we can Trust the information we consume, as well as the systems that deliver it. Fundamental systems must be trustworthy, from network traffic and data management systems to all the devices and technology delivery systems connected to networks. Even the non-availability of a system due to technical failure (as opposed to malicious attack) has an adverse impact on Trust. Constant vigilance is required to ensure that all systems are maintained at an appropriate quality level; are up-to-date and patched; and with networks continuously monitored for abnormal behaviours. This creates an environment of trustworthiness.

Ethics, the missing factor, necessary and almost sufficient
An organisation will find it hard to engender Trust, no matter how good its security technology, governance, quality and compliance procedures, if it doesn't fundamentally take an ethical position; and if this isn't reflected in its policies and procedures. If a company has a good ethical position with respect to all of its stakeholders, the cornerstones of Trust listed above follow more-or-less automatically. Many companies, however, only pay lip-service to ethics.

To take just one example, the banking industry is generally implementing good security practices, but it isn't well-trusted by its customers (see here, relating to online businesses generally), perhaps because so many press reports (and court cases) show it to be untrustworthy in practice.

You should care about Trust because it enables the Freedom for people to work in whatever way is best for business outcomes and for their own welfare. It is enabled by the transparency provided by Actionable Insights.

It is becoming an up-front business issue as new business practices emerge, where participants can't fall back on long-established business practices and supportive (and fully aware) business cultures, to support the maintenance of Trust. Emerging technologies that impact Trust include:

  • The emergence of personal mobile devices - Bring Your Own Device/Interface; these are new, and possibly less well understood, technologies; supporting novel and less mature business models;
  • Asynchronous automation technologies (without transaction-based commits), needing more complex remediation;
  • Better communications, eroding any physical differentiation between 'insider' and 'outsider' parties (an organisation's perimeter runs through the desks or smartphones of its customers or partners);

At the same time, criminals are becoming more sophisticated, using novel ways to exploit Trust exposures and more computer-literate employees are increasing the insider threat (trusted employees misusing that Trust).

Never overlook the fact that Trust is a people thing, more than it is a technology thing—social engineering is well understood by criminals and is being used to corrupt or mislead trusted employees, which can fatally compromise Trust.

Even, technology can enable Trust—or be used to help subvert it. The technology people use for business is increasingly complex. Essential internet infrastructure services are being increasingly targeted, including web hosting, attacks against the DNS infrastructure and data centres, including those used to run internet operations. The extreme interconnectivity promised by the Internet of Things will only make the complexity, and the risk, worse.

You need to care about Trust because the expanded threat surface and reliance on external services and devices means that centralised organisational control is being eroded—and, with it, the automatic Trust that can be placed in a known business partner and its data, information data and employees.

Growing threat complexity
Opportunistic attacks launched en masse are still an important part of the threat landscape, but their importance is dwindling as targeted attacks provide potentially much higher gains. Targeted attacks target specific individuals, using them to gain a foothold into an organisation and as a conduit for finding bigger targets. Obviously, if people inside an organisation are compromised then so is the Trust between employees and employer; and if the objective of such attacks is to steal from the organisation or its customers, external Trust between an organisation and its customers/partners can be damaged.

Threats that can directly impact Trust include:

  • Compromised websites used to lure individuals into releasing personal or confidential information. Typically, 'watering hole' attacks (websites often visited by target individuals or groups are seeded with malware) and malicious messages containing the URLs of corrupted or dangerous websites are employed to subvert Trust.
  • Documents with tainted attachments that are highly tailored towards individuals continue to be a favoured method of attack.
  • Ransomware (malware that causes damage that can be removed if you pay for a 'security tool' from the criminals that caused the damage in the first place) is increasingly being used to target not only individuals, but also organisations. Such malware, along with the growing use of DDoS (distributed denial of service) attacks, can cause extensive business disruption and can also disguise more subtle attacks.
  • Hacktivists (with a political or moral agenda) are an increasing problem; and cybermercenaries for hire are emerging. Nation states are increasingly being seen as a threat (the US and Israeli governments, and others, are known to have created malware specifically to target their enemies) and intelligence surveillance, or industrial espionage (is there a difference?) is rife. Many countries are known to be creating militaristic cyber capabilities, sometimes at the expense of regular military expenditures. Organised criminal groups are increasingly organising themselves on the lines of large corporations—well-resourced and with real business objectives. Just using technology from a particular country, or being subject to a country's laws, can compromise Trust and it is becoming ever harder to know who to Trust in cyberspace—with huge implications for eCommerce.
  • The insider threat continues to be an increasing menace and perpetrators often see themselves as acting morally (the WikiLeaks and Edward Snowden exploits are well known). The nefarious antics of governments, and the US government in particular, have catalysed a general erosion of Trust related to trusted insiders. And, of course, the leaking of information has huge implications for Reputation Risk, partly because leaks are seen as very newsworthy, which, in turn, affects Trust (and, sometimes, the consequent implications of untrustworthiness are entirely justified).
  • Poor or insensitive management practices can result in a lack of Trust between employer and employees, in both directions, and this contributes to the insider threat.

When business increasingly depends on software and eCommerce, it can't rely on long-established people-related Trust regimes developed when the business operated face-to-face, using paper, any more. The Trust which (generally) has been a feature of manual commercial interactions in the past has to be implemented similarly for the future eCommerce world, with its different cultures and threats. This may not be a trivial exercise.

The bottom line: Trust is hard to engender and easy to lose
In short, without the proper controls, transparency and ethical standards in place, nothing and no-one can or should be trusted blindly. The stakes are too high. On the other hand, controls applied with a heavy hand, without consultation with stakeholders and without their informed consent, can rapidly erode Trust.

Often, when technology is changing rapidly, controls simply can't keep up; and participants haven't had time to build up the familiarity and knowledge which partly underlies Trust. In these circumstances, Trust can disappear, for all stakeholders, very quickly.

Also, a state of Trust that took years to build up can be lost in days, after a deliberate exploitation of Trust or a mismanaged incident which stakeholders see as making their Trust unwise. And yet, no business can operate effectively without Trust between all of its stakeholders—employees, customers, regulators and so on.

People-centric automation
Today’s extended enterprises require new Trust models to be generated. They need to be focused on the users of systems in a more people-centric manner and should follow data as it flows around the organisation and out of and into it, as it is used by people. Static controls tied to the systems themselves are no longer enough, especially when systems are increasingly built up from virtualised cloud services.

Trust decisions need to be context-aware—not just based on who the user is, but where they are and what access device they are using, and whether those resources are provisioned internally or sourced from a third-party cloud provider. Context defines different Trust levels—for example, an employee accessing resources from inside the firewall could be deemed to be more trustworthy than a contractor using a mobile device over an unsecured WiFi connection—and appropriate security controls can be applied according to perceived trustworthiness levels. The sensitivity of the resources being accessed provides another dimension to Trust levels, so access to highly sensitive data could be prevented where trustworthiness is perceived to be low, unless extra safeguards are implemented.

A more granular Trust model, based on who people are and what they are doing (their behaviours), backed up by the transparency provided by sensitively-implemented {page:Actionable Insight:Big Data analytics}, will enable organisations to benefit from the business flexibility that new technology developments can support.

Building in Trust by design
Engendering Trust around new technologies and technology delivery mechanisms involves building in Trust as part of the system design. In terms of data governance, it is essential that organisations put in place controls so that they know what data is in use, where it originates, how it flows across systems, who uses it and where it is stored.

Similarly, Configuration Management (managing, across time, what you have, who's using it and how it is configured) supports Trust. Regulations increasingly demand that organisations have demonstrable processes in place for data validation and traceability, in order to verify the accuracy, history and origin of data. Continuous monitoring of network systems and the endpoints that connect to them is becoming a key capability for meeting both data governance, and governance, risk and compliance objectives. It is part of the assurance that policies are being enforced and audit trails generated appropriately.

Transparency
Mostly, what people do in the open can be trusted—obfuscation and secrecy damages Trust. Fundamentally, big data analytics—{page:Actionable Insight:Actionable Insight}—supports transparency. Nevertheless, if it is implemented insensitively (as a technology control rather than as a people-support thing), it can actually damage Trust.

Similarly, sensitively-implemented security controls, such as identity and access management controls, based on context, that allow for federated identity and single sign-on, incorporating one-time passwords and strong authentication for transactions requiring higher levels of Trust or for allowing access to lesser trusted users, can enhance Trust. However, if implemented as Big Brother controls, they can destroy Trust. Location-based controls can give more context to Trust-based decisions, and make them less intrusive.

Trust and transparency must be implemented as part of a supportive, people-centric culture—and an old-fashioned 'blame culture' is not a fertile ground for Trust.

Remediation responses to Trust failure
To ensure the integrity and therefore trustworthiness of resources you must be able to respond to Trust-related incidents as they occur so that Trust can be restored. External or perimeter controls should be linked to people-focussed remediation systems that can make use of Actionable Insights from big data security analytics tools, so that potential Trust-related incidents that do occur can be flagged and remediated without destroying Trust, promoting general transparency of operation.

However, organisations must think beyond technology for analytics and controls. To enable Trust, they need to build an organisational culture that encourages ethical conduct, which discourages the 'insider threat', and which allows employees to believe that they can report problems within the organisation, rather than having to resort to whistle-blowing, with its implications for 'reputation risk' and consequent lack of Trust.

Continuing education
Employee training and awareness of issues that could negatively impact Trust is another important part of ensuring Trust. Education is how a company makes its ethical position clear and inculcates ethical behaviour in its employees.

Education should be provided continuously, especially given the ongoing evolution of technology, business models and the threat landscape, not seen as a one-off thing. External stakeholders such as partners and customers are part of the Trust equation and, while these stakeholders are hard to train explicitly, Trust can be engendered by automated systems that keep them fully informed and are transparent and easy to use.



Further Information (Icon) Further Information

Further resources to broaden your knowledge: