MGO CPA | Tax, Audit, and Consulting Services

Topic: Security

The Manufacturer’s Guide to Building Brand Loyalty and Trust

Key Takeaways:

  • U.S. companies must follow data privacy rules, not only for legal compliance but to build brand trust and loyalty.
  • As manufacturers increasingly adopt advanced technologies like artificial intelligence (AI) and machine learning, protecting customer data becomes more essential — and more complex.
  • Key compliance gaps include outdated tracking technologies, third-party data sharing risks, data collection without clear consent, and challenges from emerging technologies.

~

U.S. companies are legally bound to follow data privacy rules and protect customer data. However, upholding data privacy standards is more than just a legal requirement; it’s imperative to building brand loyalty and trust.

As data usage continues to increase for manufacturers, protecting customer data and privacy may prove more challenging. According to BDO’s 2024 Manufacturing CFO Outlook Survey, 35% of manufacturers now use advanced analytics, including forecasting and predictive models. They are also increasing their spending on innovative technologies, such as artificial intelligence and machine learning. Additionally, 30% of manufacturers consolidate their data in a central location and share it across the organization, which can introduce security vulnerabilities.

As manufacturers continue to enhance their digital maturity through Industry 4.0 initiatives, they will need to continually refine their protection and data privacy programs.

Key Concepts to Know

Building a strong program foundation depends on two concepts: Iteration and Data Protection ‘by Design’ and ‘by Default.’

  • Iteration: Data privacy compliance is a journey, not a destination — it requires ongoing monitoring, testing, and improvement of the protection and data privacy programs that support it. Manufacturers should focus on developing an ongoing, overarching culture of compliance to enable the company to meet the demands of the evolving regulatory landscape.
  • Data Protection ‘by Design’ and ‘by Default:’ Data Protection ‘by Design’ and ‘by Default’ approaches are critical to building a strong program foundation. These approaches integrate privacy and data protection practices into the organization’s activities from the beginning, which helps mitigate risk, close compliance gaps, foster trust with users and customers, and reduce the likelihood of privacy violations.

Ready to build the right foundation for your protection and data privacy program? Read on to get started.

Have You Seen Any of These Red Flags?

  • Before getting started with our checklist, take a moment to think about whether your company has experienced any of the following scenarios, which may be a driver for change.
  • Consumers complain about a lack of transparency in the amount of personal data you collect about them, or the ways in which you handle their personal data.
  • Your company receives a high volume of complaints or regulatory inquiries.
  • Your services or products put you in the category of high-risk controllers or processors because of the amount of personal data you collect or process.
  • Your company experienced a decline in user engagement, and it is driving a reduction in market share or brand recognition.
  • Privacy activists are filing lawsuits against your company or your peers.
  • Your industry is on the receiving end of frequent regulatory fines.
  • This is often a tell-tale sign that regulators are scrutinizing companies within your industry, so your business should work to shore up data privacy compliance processes sooner than later.
  • Your company has incurred a regulatory fine.
  • Your company has experienced a data privacy breach or cyberattack.

Common Gaps in Privacy & Data Protection Programs 

While identifying privacy and/or data protection red flags may be straightforward, manufacturers need to uncover and address program gaps to strengthen their compliance. Here are four common compliance gaps to look for and address within your organization:

  1. Tracking technologies: Companies continue to struggle with tracking technology (pixels, web beacons, and cookies) compliance. We regularly see companies fined for improperly using outdated tracking technologies, writing code that leaks data, and violating regulations. Data leakage can lead to a report of a data breach with regulators.
  1. Data collection and consent: Companies must balance their need to collect personal data with clear and informed consent. For U.S. companies, this is a challenge since not all laws have caught up with consumer expectations. However, as data usage becomes more intricate and globalized, user consent is one of the most pivotal areas of privacy compliance programs.
  1. Third-party data sharing: Most privacy regulations require companies to determine whether their vendors adhere to the same level of privacy and data protection standards as the hiring company. Vendor assessments and an understanding of inward and outward data flows allow manufacturers to identify potential risks and stop sharing data with a third-party if needed.
  1. Emerging technologies: Integrating innovative technologies like artificial intelligence (AI), Internet of Things (IoT), blockchain, and biometrics while maintaining privacy standards poses challenges in understanding and mitigating risks. These technologies require manufacturers to continuously reassess and update their privacy policies and practices to promote compliance and protect users’ personal data.

Building the Baseline Program

This first checklist serves as part one of a three-part series to help your company develop a privacy & data protection roadmap and prepare for enhanced regulator and stakeholder scrutiny — especially for manufacturers in the business-to-consumer category.

The items below represent baseline best practices for privacy and data protection compliance programs. This comprehensive list, while not inclusive of every possible tactic, provides a starting point to build the foundation prior to tackling more complex activities.

  • Do you have buy-in to build or rebuild your privacy and data protection program? Privacy programs require a plan, budget, and buy-in at the highest levels of the organization. Build your business case, identify an executive sponsor, and get board approval to invest in consumer data protection.
  • Do you know where your personal data resides and who has access to it? Organizing and knowing where personal data resides and who can access it or when it is shared is a hallmark of a foundational, compliant data privacy program. To start, develop a comprehensive data inventory and identify personal or sensitive data. Key steps to take include:
    • Identify data sources
    • Categorize data into personal, sensitive, and other categories to evaluate its privacy significance
    • Map the data flow
    • Determine who owns each data category and is responsible for proper handling
    • Assess data flow, transfer, and other risks associated with each category
    • Record how data is collected, stored, processed, and shared
    • Identify current organizational data practices to align with privacy regulations
    • Define retention periods
    • Understand and update access controls
    • Establish a timeline to continually review and update the inventory
  • Is data protection a priority at the top? To build a strong privacy program, data protection must be viewed as a priority. It is also important to educate the board and executive teams to ensure they understand the differences between privacy and security. Privacy and security standards and processes are both related to protection best practices but are inherently different.
  • Security protects data from unauthorized access, breaches, and cyberattacks. It allows an organization to safeguard personal data and information from internal and external threats.
  • Privacy, on the other hand, focuses on the appropriate handling and use of personal data. Privacy measures focus on minimizing the collection of sensitive and personal data, obtaining consent to use that data, and ensuring that data is used for its intended purposes.
  • Is the board engaged in privacy and data protection discussions? The commitment of the board is essential to drive reputation and trust. The board’s oversight of privacy practices helps maintain the company’s brand and credibility, reduce the risk of data breaches and their fiscal impact, and drive employee engagement in data privacy best practices.
  • Is privacy and data protection part of your corporate strategy? Privacy considerations can influence strategic decisions about product development, partnerships, and data sharing practices. Building internal and external support channels to evaluate ways to promote privacy and data protection as a differentiator helps to build the program’s business case. Treating privacy and data protection as part of the organization’s strategy demonstrates to users and consumers that the company is serious about protecting their data.
  • Are you transparent and do you share data practices with the public? Your policies around data collection and processing should be highly transparent. This means proactively sharing those polices and privacy notices with customers. Studies have shown that companies that are transparent with the public about how data is collected, processed, and shared are held in higher regard by customers and regulators.
  • Do you destroy outdated and unnecessary data? Data retention is a critical component of every privacy program because it demonstrates that you are trying to reduce the risk of data leaks and unauthorized use. Establish retention schedules and policies to determine how long distinct categories should be retained and when they should be destroyed.
  • Has your company established a breach response program and evaluated it? Data breach and incident response programs are required under every privacy law regardless of your location. Manufacturers must abide by regulations that dictate how to craft a data breach response program, from the detection of a potential breach to when the organization must notify board members, employees, and customers after one has occurred.
  • Have you appointed a Data Protection Officer (DPO)? It is likely that a DPO is required in regions where you sell or operate. Review regulations to determine locations where you are required to have a DPO and identify regional or local in-country appointments. A common approach our clients find useful is to appoint a Global DPO with in-country or regional appointments to offset time zone, language, and cultural challenges.
  • Are employees required to complete privacy, security, and data protection training at regular intervals? At this stage, it is critical that companies establish data privacy awareness and training for employees. Guarding customer data is the responsibility of everyone at the organization so it should be part of regular training, awareness campaigns, and individual goals.

Going Beyond the Groundwork

This checklist can help you build the foundation for a privacy and data protection program that helps restore trust with your stakeholders, employees, and customers.

In our next checklist, we’ll provide guidance on how to evolve the steps from the foundational stage, looking at tactics such as establishing a Data Protection Committee and finetuning employee training programs.

How MGO Can Help

The manufacturing and distribution industry is marked by dynamic complexity and evolving opportunities. With these opportunities come challenges surrounding customer privacy.

To maintain brand loyalty through data security, MGO offers tailored solutions through cross-functional teams to help you navigate the data protection issues of today and position your company for lifelong customer loyalty. We can work with you to strengthen your network security, guide your employee education and training, establish compliance programs tailored to your industry, assist with enhancing the security of your manufacturing equipment and infrastructure, and more.

Maintain the integrity of your customers’ data and keep your operations running smoothly. Reach out to MGO today for support.

Written by Val Laufenberg, Maurice Liddell and Bill Pellino. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

How a Cyber Maturity Assessment (CMA) Can Help Protect Your Government Against Security Threats

Executive Summary:

  • Cyber threats are increasingly elevating data and infrastructure risks for state and local governments. Proactive security standards and assessments can strengthen governmental defenses.
  • Cyber Maturity Assessments (CMAs) evaluate preparedness to safeguard against, detect, isolate, and respond to system threats holistically across staff, procedures, and tools.
  • Conducting a CMA can provide governments strategic advantages, such as: gauging risk management capabilities, fostering a security culture, mapping regulatory requirements, adapting to the evolving threat landscape, and informing cybersecurity strategies.

~

Cyber threats grow more sophisticated every day, increasing risks to sensitive data and critical services at the state and local level. With public-sector cyberattacks on the rise, today’s governments need to reinforce their cyber defenses to protect government operations and maintain constituent trust.

In the realm of cybersecurity, staying ahead of the curve is not just advisable; it’s imperative. In 2016, the Department of Defense (DoD) introduced a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS). This rule mandated new cybersecurity safeguards and cyber incident reporting for controlled unclassified information (CUI).

Transitioning from DFARS, the DoD has now developed the Cybersecurity Maturity Model Certification (CMMC), a framework designed to enhance the cybersecurity of government contractors. While state and local governments are not beholden to the CMMC, your team can still benefit from embracing CMMC standards and proactively developing comprehensive security programs.

5 Benefits of a Cyber Maturity Assessment for Your State or Local Government

To check your government against CMMC standards, a powerful tool you can employ is a Cyber Maturity Assessment (CMA) — which examines your organization’s overall preparedness to safeguard against, recognize, isolate, and react to cyber threats that could compromise sensitive data and systems. Analyzing more than just adherence to regulations, a CMA is a holistic analysis of people, processes, and tools that assesses the entity’s broader cyber risk exposure and defenses.

Here are five ways a CMA can be a trusted ally in fortifying your cybersecurity defenses:

1. Risk Management

The CMA framework addresses the crucial question: Is your organization equipped to navigate evolving risks effectively? With the assistance of CMA, state and local governments can gain insights into the maturity of their current processes and mechanisms. This empowers them to make informed decisions on risk mitigation strategies, ensuring a robust defense against emerging cyber threats.

2. Strengthening Security Culture

Promoting a culture of security and privacy by design is paramount in today’s digital landscape. CMA serves as a catalyst in fostering this mindset within organizations. By assessing the maturity of security practices, it enables state and local governments to identify areas for improvement, laying the foundation for a resilient security culture.

3. Understanding of Multiple Regulatory Requirements

Navigating the complex web of regulatory requirements is a challenge for any government entity. CMA provides a comprehensive understanding of an organization’s capabilities to meet controls-based regulatory requirements. This not only ensures compliance but also establishes a framework for efficient regulatory adherence, minimizing vulnerabilities.

4. Proactiveness in an Ever-Evolving Cybersecurity Landscape 

As cyber threats continue to grow in scale and sophistication, organizations must be proactive in adapting to the evolving landscape. CMA equips state and local governments with the foresight needed to stay ahead of cybercriminals. By identifying potential threats and vulnerabilities, organizations can implement strategies to drive growth and transformation while safeguarding their digital assets.

5. Determining Considerations for a Cybersecurity Strategy 

Crafting an effective cybersecurity strategy requires a deep understanding of an organization’s capabilities and potential areas for improvement. CMA assists in identifying key considerations for a cybersecurity strategy, ensuring that state and local governments can rapidly adapt to the dynamic cybersecurity landscape.

Employing a Methodical Approach to CMA that Delivers Actionable Insights

Conducting a productive CMA that yields meaningful insights requires experience with security frameworks and familiarity with the latest threat trends impacting state and local governments. At MGO, our Technology and Cybersecurity Advisory (TCA) team approaches each CMA engagement through a consistent methodology focused on mapping security practices to leading industry standards, evaluating core capability areas, and developing practical recommendations tailored to the organization. 

Key elements of MGO’s CMA methodology include:

  • Utilization of NIST Cybersecurity Framework (CSF), ISO 27001 or CIS Controls as a Baseline – The TCA team will help you identify current gaps in the security of information assets and determine potential opportunities for improvement relative to your organization’s size and stage in the lifecycle.
  • Focus on Key Cybersecurity Capabilities – Emphasizing key cybersecurity capabilities including governance, detection, prevention, response and legal compliance, the TCA team will assist in aligning and mapping these capabilities against industry standards.
  • Recommend Prioritized Areas of a Management Action Plan – The TCA team will assist you in identifying key areas of improvement and provide a risk-ranking to help prioritize moving forward.
  • Maintaining Continuous Improvement – Instituting a recurring cycle of assessment and improvement is crucial, as cybersecurity maturity is a dynamic process that must adapt to evolving threats and business needs.

How We Can Help You Achieve Your Cybersecurity Goals 

Our highly skilled team delivers in-depth cybersecurity and business knowledge that translates to outside-the-box thinking and practical recommendations. We will work with your team to conduct deep-dive walkthroughs and technical testing to help you manage potential cybers

Cybersecurity Culture: Empowering Your Employees

by Joshua Silberman, IT / Cyber Security Consultant, MGO Technology Group

Are your employees comfortable telling leadership about a potential problem at your company? Now ask yourself, are they comfortable telling leadership about a potential mistake? A large number of today’s cyberbreaches often begin as the result of an innocent mistake by an employee. It might be sharing a password over an unprotected median, a nefarious actor grabbing a picture of an employee’s laptop screen while they are working in public, or as is most common, an employee clicks on an innocuous link from a phishing email. What most employers may not realize is that many employee’s common sense regarding breaches is actually pretty good. At the very least they will suspect that something is amiss, which could be the first step in detecting a potential breach. Empowering your employees to actively look for, and report on, potential breaches goes a long way to helping your organization build a strong cyber security culture.

Creating a positive cyber security culture

The first step is to educate your employees on what to look out for when it comes to cyber and information risk. Many firms employ some form of basic cyber-security training, mostly at the time of on-boarding, but training usually ends there. Cyber security is an ever-shifting landscape where threats are always evolving. This is why it is important for firms to enact a year-round cyber security awareness program based around employee activities. A good employee-based cyber security awareness program will be light on technical jargon and focused on highlighting the vulnerabilities of the processes and systems that all employees use in their day-to-day work, such as instant messaging, answering e-mails, browsing the web, and sending documents through authorized and unauthorized means of file sharing. There is no great need to get into the technical details of how an attack might happen, but rather acknowledge that the danger is out there and focus on what employees can do to look out for potential dangers, such as noticing strange URL’s and suspicious e-mail attachments from unrecognized users. Consistently educating employees on current cyber threats and methods will give them the tools to identify a threat and be proactive in helping your company stop it.

Encouraging active breach and threat reporting

Training employees to spot the dangers is only half the battle. The other half is generating an effective reporting culture. No cyber security strategy is complete without a good cyber security reporting culture that puts a premium on reporting potential breaches. Here are a few suggestions to create a positive culture of reporting:

Have the team that provides your first level IT Support lead awareness/education sessions, as they will mostly likely also be the first point of contact for reporting potential breaches. The sessions can be developed by an outside consultant or an internal cyber security professional, but building a repertoire between those who should be reporting the incident and that first point of contact provides a sense of comfort that your employees are reporting the issue to the right group in the correct way.

In training, the IT support staff should make clear that reporting a threat is NOT a burden and that employees should err on the side of caution. If an employee receives an e-mail they find suspect they should not hesitate to contact their IT department through the designated reporting means.

Everyone from the organization must know and believe that the consequences of reporting a potential mistake will not be dire. Beyond feeling comfortable reporting suspicious activities, employees must also feel comfortable in reporting suspicious behavior that might be a direct result of their own actions. If an employee feels that admitting a mistake will be detrimental to their career they will keep quiet and a potential breach oversight could occur. Admittedly, this strategy carries some risk as you do not want certain behaviors to be consequence-free. However, the scope of consequence must be weighed against the actual action.

For example, an employee need not be officially reprimanded for admitting to clicking on a suspicious link and reporting it, but it would be prudent for the IT support staff to point out what could have been done differently to avoid the infraction. If the employee becomes a repeat offender, then a more official process might be warranted. Until then, simply pointing out of the issue should be enough to change behavior while maintaining a culture where employees are not fearful of bringing an issue forward.

Strong and proactive cyber security culture starts at the top

When setting the company’s cyber security policy, upper management must keep an eye toward baseline employees who perform the day-to-day actions of the company. Clear signals about saying something if you think something is wrong can go a long way toward changing your company culture. Having a strong IT or Cyber Security group is simply not enough when your own staff could unknowingly be your cyber Achilles Heel. There is a saying in cyber security that “every employee is a potential vulnerability.” However, if trained and leveraged correctly, your employees can also act as another safeguard, actively working to protect your information technology environment.

If you have any questions or would like support developing and implementing an effective cyber security program, reach out to the MGO Technology Group for a consultation.