Internet traffic increased by 25% year-on-year in 2023, a clear sign that our world is becoming more interconnected than ever before. This also means that data breaches and cyberthreats pose even bigger risks for businesses that must ensure their personal and business data and resources are kept private and safe.
This can only be achieved by investing in security teams and tools, with the risks and costs of failing to do so amounting to millions of dollars.
Security leaders have to work in tandem with privacy leaders to convince their organisations that security investment is vital. When security and privacy leaders team up, they can identify the right tools tailored to their specific organisation’s needs and data types.
Where does the real harm lie?
An effective data security program helps ensure the privacy of customer and corporate data – but this is much easier said than done. It is not easy for a security leader to convince a privacy leader of the benefits of certain security technologies. Without a clear understanding of how security solutions work, what their purposes are, and their benefits, these technologies might be perceived as a risk to data privacy. For example, a privacy leader might doubt the implementation of an email security tool that scans all company emails for phishing or a secure web gateway that enables the IT team to monitor employee web activity to block malware-hosting websites.
The first question to ask is, what is the real privacy harm the organisation is trying to protect against? An organisation’s privacy leader needs to balance the potential privacy impact on employees from email scanning tools against the risks of not implementing such tools. Without sufficient security measures, employees might be susceptible to phishing attacks, which could inadvertently lead to unauthorised access to internal systems and the theft of sensitive customer data by threat actors.
More often than not, the benefits of security investment outweigh the potential costs. Employees tend to have few privacy protections in the emails they send through a company’s system. But if the personal data of a company’s customers were exfiltrated, the company could face data breach notification obligations, regulatory penalties, and contractual damages.
Calculating the cost of underinvesting in security
The costs incurred by cyberthreats are only rising. In Cloudflare’s Securing The Future: Asia-Pacific Cybersecurity Readiness Survey, 63% of respondents indicated they had experienced a financial impact of at least US$1 million due to a cybersecurity incident.
Financial cost was not the only effect: 16% of respondents cited reputational damage as the biggest impact, while 21% cited loss of data or intellectual property as the most pressing outcome. Outside of the loss of data, other consequences included having to put business plans on hold and forced layoffs.
Further, 78% of respondents indicated they experienced a cybersecurity incident in the preceding 12 months. Among those that experienced incidents in the past year, 80% reported four or more cybersecurity incidents, while 50% experienced 10 or more. Web attacks and phishing attacks were the top two recorded attack vectors, and planting spyware, ransomware, and exfiltrating data were the main goals of these cybersecurity incidents.
These facts lay bare the grave impact a cybersecurity incident can have on an organisation. Most major incidents are made possible by several fundamental security issues, such as weak passwords and expired certificates. Cybersecurity solutions that help mitigate these risks and protect against the most common types of breaches — such as anti-malware, email scanning, and zero-trust access control — offer substantial potential benefits to any organisation and its customers.
Investing in layered security systems reduces risk
Ideally, the benefits of a new security solution will reduce the risk of a cyberattack. But it’s important to select the right security vendor. Any time a vendor further down the IT supply chain has access to a company’s systems and data, that company must assess whether the vendor’s security measures are sufficient. A breach involving an identity provider, for instance, highlights the significant repercussions a security vendor breach can have on its customers.
Identity providers enable single sign-on authentication for many organisations. If an attacker gains access to such an environment, it could potentially compromise user accounts of the provider’s customers. Without additional access protection layers, customers may become vulnerable to hackers aiming to steal data, deploy malware, or carry out other malicious activities.
When evaluating the privacy risks of security investments, it’s important to consider an organisation’s security track record and certification history. Companies that obtain optional certifications such as ISO 27001 and 27018, and SOC 2 are less likely to have these security gaps that place them and their customers at risk.
Weighing the risks and benefits
While the return on investment of security investments can be difficult to quantify, the risks and benefits are evident. Inadequate cybersecurity practices mean a company will almost certainly experience a cybersecurity incident.
Security and privacy leaders can bolster their case for additional investments by highlighting costly data breaches and can tip the odds in their favour by leveraging solutions from vendors with a good track record in security, privacy, and compliance.