Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/16/2019
02:30 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Benefiting from Data Privacy Investments

GDPR-ready companies experience lower overall costs associated with data breaches, research finds.

Millions of people continue to be flummoxed and frustrated by the much-publicized leaks of their personal information from the likes of Marriott, Facebook, and Equifax, to cite three recent examples. Such data breaches are causing companies and organizations everywhere to re-examine the things they procure, the services they use, the individuals they hire, and the people and firms with whom they partner and do business. Across the board, organizations have sunk money into staff, strategies, and equipment to comply with new, tighter customer privacy rules and sidestep major fines and other penalties.

On May 25, 2018, the EU's General Data Protection Regulation (GDPR) took effect, and other privacy laws and regulations worldwide are evolving and expanding. Cisco's 2019 Data Privacy Benchmark Study details how scores of organizations are having a hard time meeting all the demands of the new regulatory regimes — and the ones that took early action to address security concerns are seeing positive results from their investments.

GDPR Readiness
Data privacy is now a topic of discussion in corporate boardrooms, and clients, vendors, and other business partners are all paying more attention to how well the companies they patronize and work with safeguard private information. If a company doesn't measure up, those groups may look elsewhere.

Interestingly, however, a mere 59% of the respondents in the Cisco survey said they are measuring up to most of GDPR's requirements. Twenty-nine percent indicated that they would be GDPR-ready within 12 months, while 9% said it would take them more than a year.

The respondents also identified their biggest hurdles in terms of getting ready for GDPR. The top five challenges were data security (cited by 42% of respondents), internal training (39%), ever-changing regulations (35%), and privacy by design requirements as well as meeting data subject access requests (each at 34%).

"Data privacy risks have become a major issue for most businesses. Many companies are preparing for data privacy litigation. Having a defense strategy in place can be a huge benefit," says Tim Wybitul, partner in Latham & Watkins' Frankfurt office. "For instance, you can determine roles, press communication and a process in advance," he adds.

Sales Delays Due to Privacy
The survey also asked participants whether their customers' concerns about data privacy was slowing down or delaying sales cycles. Some 87% replied in the affirmative, saying that the slowdowns stemmed from worried customers or prospects. This is a much higher figure than the 66% of respondents who reported the same delays in the 2018 survey, but this shouldn't come as a big surprise given the ink that's been spilled on the importance of data privacy, GDPR, and the onset of new privacy regulations and requirements.

Roughly half (49%) of the respondents said that their sales-cycle delays stem in part from having to look into specific requests from customers who want to know more about the company's data policies. Slightly fewer companies (42%) must translate their privacy policies/processes into the customer's/prospect's language, while 39% regard the customer's/prospect's enquiries about privacy policies or processes as a tactic used to deliberately slow the pace of a sales process.

The estimates regarding the length of delays were far from consistent. For sales delays stemming from privacy concerns, the average slowdown for selling to existing customers was 3.9 weeks. The organizations that said they're meeting all or most of GDPR's requirements reported a slightly shorter delay — an average of 3.4 weeks — in contrast to 4.5 weeks for companies that expect to be GDPR-ready within a year, and 5.4 weeks for those that are more than a year away. Put another way, the delays at the least-prepared organizations are almost 60% longer than the most prepared.

In light of the above, it should come as no surprise that the GDPR-ready companies also experienced lower overall costs related to data breaches.

"This research provides evidence for something privacy professionals have long understood — that organizations are benefiting from their privacy investments beyond compliance," says Peter Lefkowitz, chief digital risk officer at Citrix Systems. "The study demonstrates that strong privacy compliance shortens the sales cycle and increases customer trust."

Data Breaches Happen Less Often with GDPR-Readiness
Most companies in the survey reported having a data breach in 2018, but fewer (74%) of the GDPR-ready companies were affected. In comparison, breaches struck 80% of the firms that are less than a year from GDPR readiness, and 89% of the ones that still have a long way to go before they fully comply.

That's not all. Not only were the most GDPR-ready companies hit less often; the impacts of the breaches they did experience were smaller — an average of 79,000 records, as opposed to 212,000 for those that are least GDPR-ready. The system downtime for the most-prepared was also significantly less (6.4 hours versus 9.4 hours). Of these firms, only 37% suffered data-breach losses of more than $500,000, while 64% of the least-prepared companies lost at least that much.

The respondents were nearly unanimous in one area: Almost all of them (97%) said they are enjoying side benefits from their investments in privacy protection, citing agility/innovation, competitive advantage, operational efficiency, reduced losses from breaches, fewer sales delays, and greater appeal among investors.

The takeaway from all this? The Girl Scouts probably say it best: "Be prepared."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.