Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/16/2019
02:30 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Benefiting from Data Privacy Investments

GDPR-ready companies experience lower overall costs associated with data breaches, research finds.

Millions of people continue to be flummoxed and frustrated by the much-publicized leaks of their personal information from the likes of Marriott, Facebook, and Equifax, to cite three recent examples. Such data breaches are causing companies and organizations everywhere to re-examine the things they procure, the services they use, the individuals they hire, and the people and firms with whom they partner and do business. Across the board, organizations have sunk money into staff, strategies, and equipment to comply with new, tighter customer privacy rules and sidestep major fines and other penalties.

On May 25, 2018, the EU's General Data Protection Regulation (GDPR) took effect, and other privacy laws and regulations worldwide are evolving and expanding. Cisco's 2019 Data Privacy Benchmark Study details how scores of organizations are having a hard time meeting all the demands of the new regulatory regimes — and the ones that took early action to address security concerns are seeing positive results from their investments.

GDPR Readiness
Data privacy is now a topic of discussion in corporate boardrooms, and clients, vendors, and other business partners are all paying more attention to how well the companies they patronize and work with safeguard private information. If a company doesn't measure up, those groups may look elsewhere.

Interestingly, however, a mere 59% of the respondents in the Cisco survey said they are measuring up to most of GDPR's requirements. Twenty-nine percent indicated that they would be GDPR-ready within 12 months, while 9% said it would take them more than a year.

The respondents also identified their biggest hurdles in terms of getting ready for GDPR. The top five challenges were data security (cited by 42% of respondents), internal training (39%), ever-changing regulations (35%), and privacy by design requirements as well as meeting data subject access requests (each at 34%).

"Data privacy risks have become a major issue for most businesses. Many companies are preparing for data privacy litigation. Having a defense strategy in place can be a huge benefit," says Tim Wybitul, partner in Latham & Watkins' Frankfurt office. "For instance, you can determine roles, press communication and a process in advance," he adds.

Sales Delays Due to Privacy
The survey also asked participants whether their customers' concerns about data privacy was slowing down or delaying sales cycles. Some 87% replied in the affirmative, saying that the slowdowns stemmed from worried customers or prospects. This is a much higher figure than the 66% of respondents who reported the same delays in the 2018 survey, but this shouldn't come as a big surprise given the ink that's been spilled on the importance of data privacy, GDPR, and the onset of new privacy regulations and requirements.

Roughly half (49%) of the respondents said that their sales-cycle delays stem in part from having to look into specific requests from customers who want to know more about the company's data policies. Slightly fewer companies (42%) must translate their privacy policies/processes into the customer's/prospect's language, while 39% regard the customer's/prospect's enquiries about privacy policies or processes as a tactic used to deliberately slow the pace of a sales process.

The estimates regarding the length of delays were far from consistent. For sales delays stemming from privacy concerns, the average slowdown for selling to existing customers was 3.9 weeks. The organizations that said they're meeting all or most of GDPR's requirements reported a slightly shorter delay — an average of 3.4 weeks — in contrast to 4.5 weeks for companies that expect to be GDPR-ready within a year, and 5.4 weeks for those that are more than a year away. Put another way, the delays at the least-prepared organizations are almost 60% longer than the most prepared.

In light of the above, it should come as no surprise that the GDPR-ready companies also experienced lower overall costs related to data breaches.

"This research provides evidence for something privacy professionals have long understood — that organizations are benefiting from their privacy investments beyond compliance," says Peter Lefkowitz, chief digital risk officer at Citrix Systems. "The study demonstrates that strong privacy compliance shortens the sales cycle and increases customer trust."

Data Breaches Happen Less Often with GDPR-Readiness
Most companies in the survey reported having a data breach in 2018, but fewer (74%) of the GDPR-ready companies were affected. In comparison, breaches struck 80% of the firms that are less than a year from GDPR readiness, and 89% of the ones that still have a long way to go before they fully comply.

That's not all. Not only were the most GDPR-ready companies hit less often; the impacts of the breaches they did experience were smaller — an average of 79,000 records, as opposed to 212,000 for those that are least GDPR-ready. The system downtime for the most-prepared was also significantly less (6.4 hours versus 9.4 hours). Of these firms, only 37% suffered data-breach losses of more than $500,000, while 64% of the least-prepared companies lost at least that much.

The respondents were nearly unanimous in one area: Almost all of them (97%) said they are enjoying side benefits from their investments in privacy protection, citing agility/innovation, competitive advantage, operational efficiency, reduced losses from breaches, fewer sales delays, and greater appeal among investors.

The takeaway from all this? The Girl Scouts probably say it best: "Be prepared."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9308
PUBLISHED: 2020-02-20
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVE-2019-20479
PUBLISHED: 2020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...