When it comes to Software-as-a-Service, it’s great to have a Trust Centre on your site that details how you handle people’s data and how you secure it. It’s meant to instill some peace of mind that your data and the systems that you’re using are safe as houses and on the “up and up”. There are, however, catches to a Trust Centre. Wording on these pages can put even some of the worst legal contracts to shame with their double speak, and in this article I detail some of the worst offenders I’ve seen recently (and why). For the general public, I hope this is educational, and for privacy and cyber professionals, I hope you get as good a (horrified) laugh out of these as I did. And no, I will not be naming and shaming the offenders, as they have all been contacted separately.
“Our login requires knowing both the email address and password, which is two-factor authentication”
Eek, that’s a hard “no”. This is not two-factor authentication. Multifactor authentication generally refers to a combination of the following: something you know, something you have, and something you are. Something you know could be a password. Something you have could be a mobile phone that receives a text. Something you are could be your fingerprint. Combining two of those is two-factor authentication, what they have described is simply a password.
“We use Amazon Web Services (AWS), so you can be assured that all your data is safe in the Cloud.”
This is a regular statement that I see. Using AWS is good, they are reputable, have many security certifications, and offer great service. What they don’t do, however, is manage the security of what a service provider puts into AWS. AWS is simply the platform and security resides on two levels: the platform and the software provider. If the software provider incorrectly configures something or simply doesn’t do what they’re supposed to, Amazon’s certifications mean precious little and security can be compromised.
“Our clients lock their USB to ensure data cannot be exported from the computer.”
Wait, what? Did they just put their client’s security controls as their own Trust Centre line item? They did. This, in my opinion, is actually highlighting a security risk on the provider’s part. This means that you can get data out of the system, and it’s up to YOU to secure it, instead of having better controls in the system to prevent exports.
“We encrypt over HTTPS, your activities are as secure as internet banking.”
This is misleading, a lot more goes into security. HTTPS is a good thing, but it only means that the initial communication activities are supposedly as secure as internet banking, while saying nothing about securing the rest of the system from end to end. There’s a lot more to securing a system than just the initial communications.
“We hired [insert huge cybersecurity firm name here] to perform a penetration test.”
And…? Were findings mitigated? When last did you do this? Is it run frequently? Specifics in a Trust Centre are good. You really do want to do penetration tests and vulnerability assessments, but you want them to happen on a regular basis.
And the worst contender:
Straight up copying the trust centre for another well-known company in another country, and forgetting to remove the original company’s logo or name.
I can’t even begin on how bad this is. Suffice to say, I will not be trusting them.
I strongly believe that a Trust Centre, when done correctly, builds trust with a provider. But, if you get it wrong, it can be terribly damaging. I have helped many clients set up Trust Centres over the years, but for every one we make sure that what we are saying is the truth, can be backed up with evidence, and is worded well to reflect the actual controls (without giving away security posture). If you need help with setting up a Trust Centre for your company, give me a shout and I’d be happy to lend a hand.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.