Data breaches are expensive, and the costs are only going up.
Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled from last year — from 7% in 2018 to 13% in 2019. Half of Radware’s C-Suite Perspectives survey respondents estimated that an attack cost somewhere between 500,001 and 9.9 million USD/EUR/GBP.
One Year In
Arguably, the General Data Protection Regulation (GDPR), which has been active in the European Union since May 2018, contributes to these rising costs.
Every EU state has a data protection authority (DPA) that is authorized to impose administrative fines for improper handling of data. Fines can go up to 4% of a company’s worldwide revenues for more serious violations. Article 83 of the GDPR requires that fines be “effective, proportionate and dissuasive.”
More than half of Radware’s 2019 C-Suite Perspective survey respondents from EMEA experienced a self-reported incident under the GDPR in the past 12 months.
In the largest fine to date, France levied a fine against Google for €50 million for lack of consent on advertisements. Germany fined Knuddels €20,000 for insufficiently securing user data, enabling hackers to steal user passwords. And a sports betting café in Austria received a €5,000 fine for unlawful video surveillance.
C-Suite Perspectives: From Defense to Offense — Executives Turn Information Security Into a Competitive Advantage
So far, DPAs have received almost 150,000 complaints about data handling. Most are about video surveillance and advertising calls or mailings, according to the EU Commission. While fines have not yet been imposed in many cases, the potential for significant penalties is there.
The takeaway? C-suite executives in all regions should not let the leniency of the first year of GDPR enforcement lull them into complacency. The threat of GDPR fines is just one risk facing organizations that experience a data breach.
The danger is very real.
Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.
These days, data breaches are an everyday occurrence. Companies collect volumes of data about their customers, from basic contact information to detailed financial history, demographics, buying patterns, and even lifestyle choices. Effectively this builds a very private digital footprint for each customer. When this footprint is leaked, it not only erodes the trust between consumers and the affected brand, but also erodes trust for all brands.
The latest marketing buzzwords call this a ‘post-breach era’ but I’d call it a post-trust era. We have watched the slow erosion of consumer trust for several years now. Forrester predicted that 2018 would mark the tipping point, calling it “a year of reckoning,” but here we are in 2019 and trust only continues to decline. The Edelman Trust Barometer claims that in the U.S., we saw the sharpest drop in consumer trust in history, bringing it to an all-time low.
Why is Consumer Trust Falling at Such a Rapid Rate?
Organizations have spent billions of dollars digitally transforming themselves to create faster, easier and more numerous access points for their customers to interact with their brand. And it’s worked. Consumers engage much more often with more personal data with brands today than ever before. For marketers, it’s a dream come true: More access equals more insights and more customer data recorded, enabling more personalized and customized customer experiences.
However, each touch-point comes with increased security risk and vulnerabilities. Prior to the digital transformation revolution, brands interacted much less frequently with their customers (for the sake of argument, let’s say once a month). But now, brands communicate daily (sometimes multiple times per day!) across multiple touch-points and multiple channels, collecting exponential amounts of data. This increases not only the opportunities for breaches, but the possibility for negative customer interactions with so much more private information known about an individual. An overabundance of those marvelous personalized interactions can make consumers feel invasive and uncomfortable at the risk in their digital footprint.
Brands have a tremendous responsibility to protect all the data they collect from their customers. Historically lack of vigilance on security has led to the start of many data breaches. For many years, the C-suite has treated information security as an expense to treat the basics of a regulatory compliance standard, not as an investment.
Today that organizational behavior just does not suffice. The stakes are much higher now; the size, frequency, and resulting consequences of recent data breaches have created a huge backlash in consumer sentiments. We feel the impact of this trust erosion in new legislation across the globe (GDPR, Castle Laws, etc.) designed to give consumers some power back with regards to their data. We also feel the impact in customer churn, brand abandonment poor Customer Lifetime Value (CLV) after a security breach. The ripple effects of data breaches signal the value of investing in security upfront; invest in the right cybersecurity infrastructure now or risk paying far more later.
It forces us as marketers to change the type of
conversations we have with our customers.
What’s a Brand to Do?
How important is data security to your customers and your
brand promise? If asked, surely every
one of your customers would tell you it’s important. Most marketers are afraid to make security
promises for fear of future data breaches. However, there’s a compelling
argument that if you don’t address the issue up front, you are missing a
critical conversation with your customers that could cost you their loyalty.
Don’t fear the security conversation, embrace it. Brands like Apple are once again leading the privacy conversation. Apple’s new ad campaign address privacy issues head on. Executives may not need the exact stance as Apple, but as a marketer, you can identify the right tone and timing for a security conversation with your audience.
Ask your customers about their security concerns and listen to their answers! Our digitally transformed world empowers us to engage in a two-way dialog with our audiences. Talk to them. Ask them their opinions on security – and more importantly, listen to their answers. Take their suggestions back to your product and development teams and incorporate it into your company’s DNA.
Develop features and services that empower your customers to protect their own privacy. Today, banks offer credit monitoring, credit locking, fraud alerts, subscriptions to services that monitor the dark web for an entire family, etc. IoT devices have enabled people to see who is ringing the doorbell even when they are not home. Those doorbell recordings can now be shared through neighborhood watch sites to warn the community of incidents when they occur. These are all examples of innovation and evolution around security as a feature.
Highlight all the different ways your company is protecting its customers data and privacy. Don’t assume your customers know that you take their privacy concerns seriously. Show them you care about their security concerns. Tell them and educate them about all the steps you are taking to protect them.
Don’t whitewash security concerns. Be a champion for injecting security into the DNA of your organization – from product development to responsible data collection and storage, to the customer experience.
Regardless of your industry— from finance to retail to consumer goods to healthcare and beyond—there is a security discussion to be had with your customers. If you are not embracing the conversation, your competitors will, and you will be left behind.
Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.
A topic inescapably in the minds of us Brits is what type of relationship will the U.K. maintain with the EU post our departure, which in one transitional form or another is slated to commence 29 March 2019.
The next few months are considered to be a pivotal period for defining what this relationship will look like and of as of right now there are many unknowns, including implications for the U.K.’s cyber assurance capability.
There are broadly three domains across cybersecurity that could be impacted by the character of the agreements struck: Skills access, legal matters and threat intel sharing.
It is sensible for security leaders in U.K. -headquartered businesses to start thinking about the potential impacts and considering plans to mitigate. The below is not an exhaustive exploration, just some initial food for thought.
Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape. This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats.
As Europe awaits the General Data Protection Regulation (GDPR) to come into force on May 25th, Facebook is enforcing new terms of service to its users to ensure compliance with the upcoming data privacy law. It will regulate how Facebook collects and uses user data that is critical to the success of its advertisement business. While Facebook executives are claiming that GDPR will have minimal impact on its user base and its revenues, experts opine that there are multiple other ways that GDPR can affect Facebook in a severe manner. With GDPR being an extraordinary regulation with strong potential to impact large businesses, Facebook stands exposed to a number of uncertainties that are yet to take shape.
Privacy or profit, that is the question. For C-suite executives around the world, striking a balance between safeguarding their organization’s data and meeting government regulations without adversely affecting day-to-day operations has always been a careful balancing act.
In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.
Data is the currency of today’s digital economy, the oil of the 21st century. Personal data is considered our economical asset generated by our identities and our behavior and we trade it for higher quality services and products. Online platforms act as intermediaries in a two-sided market collecting data from consumers and selling advertising slots to companies. In exchange for our data being collected, we get what appears to be a free service.
The growth and the market capitalization of social platform providers like Facebook and search engines such as Google demonstrate the value of personal data. Personal data also provides new ways to monetize services as news organizations are finding it difficult to charge ‘real’ money for digital news, but leverage our willingness to pay for a selection of ‘free’ news with our personal data. Every 3 out of 4 persons prefer free registration with selective access over a paid registration with full access.
