With a reported 25% year-over-year increase in Internet traffic, our world is becoming more connected than ever. But in this digital landscape, data breaches, and cyber threats are now becoming top of mind for businesses, with the goal of keeping personal data private and company resources safe. However, in order to do this, there must be an investment in security teams and tools, with the risks and costs of failing to do so costing millions of dollars. Security and privacy leaders have had to evolve to become powerful partners in convincing their organizations why investment in security is so important. When security and privacy leaders work together, they can find the right security tools to protect an organization from the risks of data breaches and make an informed decision about what solutions are the right choice for the business.
Where does the real harm lie?
It goes without saying that an effective data security program is the best path towards ensuring the privacy of customer and corporate data – but this is much easier said than done. It can be difficult for a security leader to sell a privacy leader on the benefits of certain security technologies. And without a clear understanding of how security solutions work, what their purposes are and the benefits, they may appear to be a risk to data privacy. For instance, a privacy leader might doubt the implementation of an email security tool scanning all company emails for phishing or a secure web gateway that enables the IT team to monitor employee web activity to block malware-hosting websites.
Step one is to consider — what is the real privacy harm the organization is trying to protect against? A company’s privacy leader needs to balance the potential privacy impact on employees from email scanning tools against the risks of not implementing such security measures. Without adequate protection, employees may fall victim to phishing attacks, leading to unauthorized access to internal systems and the theft of sensitive customer data.
In many cases, the benefits of security investment outweigh the potential costs. In the example above, it’s worth noting that employees in most jurisdictions globally have few privacy protections in the emails they send to a company’s system. If the personal data of a company’s customers is exfiltrated, a company could face data breach notification obligations, regulatory penalties, and contractual damages.
Calculating the cost of underinvesting in security
Corporate cyber security solutions are designed to address the different threats unique to an organization. One of the most common and pressing threats is the potential for data breaches, which soared to an average cost of $4.45 million in 2023. This number overlooks the reputational damage to the companies that suffer the breaches and the impact on the customers whose data has been breached.
While we can’t know the number of data breaches an unprotected organization might suffer in a given year, we can estimate. For example, 85% of companies suffered at least one ransomware attack in the past year, and 24% of data breaches are caused by ransomware – meaning there’s a good chance that a company will experience a ransomware attack and non-ransomware data breaches within a year.
While this is only an estimate, it demonstrates that the annual cost to an underprotected company is in the tens of millions, if not more. The potential impacts of cyber security incidents on customers are incalculable. Most major data breaches were made possible by several fundamental security issues: weak passwords, expired certificates, and other failures of basic security. Cyber security solutions that help to mitigate these risks and protect against the most common types of breaches — such as anti-malware, email scanning, and Zero Trust access control — offer substantial potential benefits to the company and its customers.
Investing in layered security systems reduces risk
In the perfect scenario, the benefits of a new security solution will reduce the risk of a cyberattack. But, it’s important to invest with the right security vendor. Any time a vendor has access to a company’s systems and data, that company must assess whether the vendor’s security measures are sufficient. The recent Okta breach highlights the significant repercussions of a security vendor breach on its customers. Okta serves as an identity provider for many organizations, enabling single sign-on (SSO). An attacker gaining access to Okta’s environment could potentially compromise user accounts of Okta customers. Without additional access protection layers, customers may become vulnerable to hackers aiming to steal data, deploy malware, or carry out other malicious activities.
When evaluating the privacy risks of security investments, it’s important to consider an organization’s security track record and certification history. For example, in 2020, only 43.4% of companies had full PCI-DSS compliance at a mid-year assessment, indicating that security controls were allowed to slip between audits. On the other hand, companies that actively pursue optional certifications such as ISO 27001 and 27018, SOC 2, and others are less likely to have these security gaps that place them and their customers at risk.
Weighing the risks and benefits
While the ROI of security investment can be difficult to calculate, the risks and benefits are clear. Weak cyber security practices mean a company will almost certainly experience a data breach – the only question is the order of magnitude of dollars lost, reputational damage, and downstream harm to the individuals who trusted the company with their data.
Security and privacy leaders can bolster their case for additional investments by highlighting costly data breaches, and can tilt the scale in their favor by seeking solutions with strong records in security, privacy, and compliance.