Major players across a variety of consumer-facing industries have been targets of cybersecurity attacks in recent years (e.g., Anthem, Sony, Target, Home Depot). Therefore, the security of consumer data is rapidly becoming an issue that companies have to prioritize not only in their cybersecurity/IT infrastructure agenda but also within their public relation endeavors. With increasing consumer awareness/education about the type and amount of data stored and the sheer number of privacy breaches, consumer skepticism about the perceived responsibility felt and preventative actions taken by companies is increasing.
The public court of opinion becomes increasingly expensive for organizations that do not invest in cybersecurity
By mid-2018, according to Ovum's data sovereignty survey, 77.6% and 70.5% of regulated/sensitive data will be held on cloud or mobile applications, respectively. The influx of sensitive data across enterprise operations, healthcare providers, and government operations, alongside unregulated employee access to consumer data, makes security much more difficult to achieve. Global security practices need to be improved – only 44% of Ovum survey respondents monitored user activity and had policy-based triggers and alerts in place, and only 53% classify their information assets to facilitate controls.
Many companies only factor in the legislative risk of fines when deciding against investing in cybersecurity systems/measures – over 50% of survey respondents plan to pay these fines, often discounting the associated costs to their brand image when making budgetary decisions about security. Furthermore, consumer awareness of companies who maintain data profiles for monetary pursuits is growing – a cybersecurity attack on one of these companies may be scrutinized more severely by the public, often causing irreversible brand damage.
Vulnerabilities can arise from both improper training and system issues; the average breach detection and remediation timeline is approximately 200 days. Manageable vulnerability issues and long remediation timelines will make consumers increasingly averse to the affected companies. As consumers – who are already increasingly concerned with data privacy – become more aware of these issues through increasing media and political coverage, they are more likely to view these breaches as direct, preventable violations of consumer trust rather than just minor business lapses. The total cost of a data breach over a three-year span, for example, must also count fiscal damage to more intangible assets, such as brand goodwill – adding to the long-term expense of a breach.
Even if a business adopts the best technology and usage approaches to prevent a breach through continual monitoring, comprehensive training, and investment in up-to-date technology, breaches are bound to happen. They can be caused be simple off-the-shelf malware through to well-resourced, advanced, persistent threats. The quickest way to mitigate the legislative and public-facing risks is to adopt a balanced, responsive, and transparent approach. Common steps include advising users on identity theft and the regular need to change user credentials as well as addressing industry regulation issues. While legal risks behind pre-remediation disclosures are an important consideration, many class-action lawsuits are predicated on the abuse of or harm caused by acquired data – both of which can be reasonably mitigated by fast and transparent disclosure.
Data Privacy Legislation Impact on Enterprises, IT0018-001493 (April 2016)
Framework: Dealing with a Cyber-Security Breach, IT0022-000621 (February 2016)
Rishi Kaul, Research Analyst, Information Management