Organizations around the world continue to see a strong return on investment from putting resources into privacy, according to a new report from Cisco Systems.
“Privacy’s Return on Investment (ROI) remains high for the third straight year, with
increased benefits, especially for small-to medium-size organizations and higher ROI
for more privacy-mature organizations,” says the report, which was based on a survey of 4,900 respondents in 27 geographies who indicated they are familiar with the privacy processes at their organizations..
Asked to estimate the financial value of the benefits from their privacy investments, the average estimate was up three per cent from US$2.9 million last year to US$3 million
in 2021.
Smaller organizations saw the largest percentage increases. Those with between 50 and 249 employees estimated the value of their privacy investments at US$2 million, up from $1.1 million the year before. Those with between 250 and 499 employees estimated the value of their privacy investments at US$2.5 million, up from US$1.9 million. Benefits at organizations with 1,000 to 9,999 employees remained constant at US$3.4 Million and at the largest organizations with more than 10,000 employees, estimated benefits fell slightly from US$4.0 million to US$3.8 million.
The report was released Wednesday to coincide with Data Privacy Week. A number of privacy and security firms also released comments this week.
Data Privacy Week is a time for organizations to set goals for implementing best practices that improve data protection and cybersecurity, said Karen Worstell, senior cybersecurity strategist at VMware. These include robust vulnerability management, implementing multifactor authentication, threat hunting, and network micro-segmentation, among others.
Data privacy is becoming more important due to the increase in data risk and loss of business information, noted Adrian Moir, technology strategist and principal engineer at Quest Software. With critical vulnerabilities found last year in Microsoft Exchange, Kaseya VSA, and in Log4j, organizations are recognizing the business need for data privacy. Looking toward the future, we’re likely to see the way data is perceived, used, and regulated will become more refined, he said.
Trend Micro urged organizations to beef up their data privacy by patching systems and networks, educating employees about data threats and how to handle an attack, regularly performing security audits and creating an effective disaster recovery plan.
“It is far easier to break trust than to build it, or rebuild it.,” noted Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center. “Trust is effectively a series of small successes that in the aggregate represent the value of a brand. A business that only requests a minimum of data from their customers and only retains it for the minimum time period required to satisfy the customer’s expectations reduces their potential exposure should a data breach occur. After all, the only data contained in a data breach is data that was available to breach, so it stands to reason that an abundance of customer data and profiles increases the interest cybercriminals might have in targeting specific businesses.”
With data breaches becoming more frequent, Data Privacy Day is an excellent time for individuals and businesses to reflect on their current privacy practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals, said Geoff Bibby, SVP of small and medium-sized business and consumer strategy at OpenText.
“Understanding how your data is being used is the first step, but actively securing your data is the most important step. Organizations and users should evaluate their current authentication practices to ensure they are building the safest habits to protect themselves and sensitive data from bad actors. It is critical that authentication controls are not only in place, but that organizations take it a step further by deploying two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s device, email address or through an authenticator app, after entering their username and password.”
Data Privacy Day serves as an important reminder for organizations across industries to ensure they are taking a proactive approach to governance, risk and compliance to keep employee and customer data out of the hands of bad actors, said J.P. Perez-Etchegoyen, CTO of Onapsis. This includes making certain security teams have complete visibility into business-critical application security, including apps delivered through SaaS, PaaS, and IaaS cloud service models, he said.
“Employees are a company’s greatest asset when it comes to privacy practices, said Sharron Reed Gavin, Contrast Security’s data privacy officer. “They are the eyes and ears, common sense, and practical intelligence of any great company. The winners in every sector will be the firms that are best at automating their business and implementing the most proactive security and privacy defenses.”
The most important aspect of data protection is how quickly lost data can be recovered should the worst-case scenario happen, said Darren Yablonski, Senior Director of Sales Engineering leading teams in Canada, U.S. and LATAM at Commvault.
To ensure data can be quickly recovered, businesses should make sure their data protection platform is up to date and adopt new capabilities that vendors are bringing to market to avoid data falling through any gaps of of legacy solutions. Adopting a zero-trust approach to security, only allowing employees access to areas they need to do their job, having air-gapped solutions for most critical assets, and using multi-factor authentication, are just a few examples of what businesses can also do to protect their data.
In its report, Cisco recommends organizations:
- continue to build privacy capabilities throughout the firm, particularly among security and IT professionals and those who are involved directly with personal data processing and protection;
- be transparent about how personal data is being used by the products and services the organization delivers. “Customers want to know — and be reassured — that their data is not being abused and used in ways they don’t expect, know about, or understand;
- proceed carefully and thoughtfully when using personal data in AI and automated decision-making that materially affects customers. Designing and building with an ethical framework by design, establishing governance and oversight over your AI program, and providing transparency on when and how you are using automated decision-making are all positive steps organizations can take;
- invest in privacy – it pays off.