Balancing privacy and business risk
Keeping personal data private and company resources safe are two of the primary goals of a corporate cyber security program. In a previous article, we discussed the balance between these goals and the value of pursuing a privacy-led security strategy.
In this article, we’ll dive into the risks and costs of failing to invest in security, and how security and privacy leaders can be powerful partners in convincing their organizations why the investment in security is so important. When security and privacy leaders work together, they can find the right security tools to protect an organization from the risks of data breaches and make an informed decision about what solutions are the right choice for the business.
Where does the real harm lie?
Ideally, an organization’s security and privacy leaders should be working closely with one another. The best way to ensure the privacy of customer and corporate data is by implementing an effective data security program.
Privacy leaders recognize the value of security measures for protecting customer data. However, in some cases, it can be difficult for a security leader to sell a privacy leader on the benefits of certain security technologies. Without a clear understanding of how a security solution works and what its purpose is, it could appear to be a risk to data privacy. For example, a privacy leader may be quite skeptical when their security leader proposes onboarding an email security tool that scans all of a company’s emails to thwart phishing attempts or using a secure web gateway that might allow a company’s IT team to see what websites employees visit on their work computers in the course of trying to block employees from visiting websites that host malware.
When thinking about security investments for a corporate network, it’s important to consider — what is the real privacy harm the organization is trying to protect against? A company’s privacy leader needs to weigh the privacy harm to a company’s employees from a machine that merely scans company emails to say, “Yes, good” or “No, bad” against the harm that could come to the company if such security protections aren’t in place. If such protections aren’t in place, an employee could easily become the victim of a phishing exploit that results in a threat actor using that employee’s credentials to access internal systems and exfiltrate the sensitive personal data of the company’s customers.
In my opinion, having a really strong sense of what privacy harms are the biggest risk for your organization is essential to implementing effective privacy-led security. In many cases, the benefits of security investment outweigh the potential costs. In the example above, it’s worth noting that employees in most jurisdictions globally have few privacy protections in the emails they send to a company’s system. But if the personal data of a company’s customers is exfiltrated, a company could face data breach notification obligations, regulatory penalties, and contractual damages.
Calculating the cost of underinvesting in security
Corporate cyber security solutions are designed to address a variety of different threats to an organization. For example, one common threat is the potential for data breaches, which had an average cost of $4.45 million in 2023. However, this number overlooks the reputational damage to the companies that suffer the breaches and the impact on the customers whose data has been breached.
While we can’t know the number of data breaches an unprotected organization might suffer in a given year, we can estimate it. For example, 85% of companies suffered at least one ransomware attack in the past year, and 24% of data breaches are caused by ransomware. That means there’s a good chance that a company will experience both a ransomware attack and non-ransomware data breaches within a year.
While this is only a rough estimate, it demonstrates that the potential annual cost to an under-protected company is likely in the tens of millions, if not more. Additionally, the potential impacts of cyber security incidents on an organization’s customers are incalculable. Diving into the details of major data breaches, you’ll quickly find that most were made possible by a number of fundamental security issues. Weak passwords expired certificates, and other failures of basic security hygiene are often the root cause of major security incidents. Cyber security solutions that help to mitigate these risks and protect against the most common types of security breaches — such as anti-malware, email scanning, and Zero Trust access control — offer substantial potential benefits to the company and its customers.
Investing in layered security systems reduces risk
In many cases, the benefits of a new security solution are clear: It provides a certain reduction in the risk of a cyberattack. Preventing even a single cyberattack can provide significant cost savings for the organization. By the numbers, if the annual cost of a cyber security solution is less than the anticipated savings, then it’s a worthwhile investment.
But, it’s important to invest with the right security vendor. Any time a vendor has access to a company’s systems and data, that company must assess whether the vendor’s security measures are sufficient. There are several examples where security vendors have been victims of cyber security attacks and, as a result, their customers’ systems and data could be exposed to risk.
The recent Okta breaches are a prime example of the potential impacts that a breach of a security vendor could have on its customers. Many organizations use Okta as an identity provider to implement single sign-on (SSO). With access to Okta’s environment, an attacker could potentially gain access to the user accounts of Okta customers. If those customers don’t have additional layers of access protection, they could be left vulnerable to hackers who might steal data, plant malware, or take other malicious actions.
When evaluating the privacy risks of security investments, it’s important to consider an organization’s security track record and certification history. For example, in 2020, only 43.4% of companies had full PCI-DSS compliance at a mid-year assessment, indicating that security controls were allowed to slip between audits.
On the other hand, companies that actively pursue optional certifications such as ISO 27001 and 27018, SOC 2, and others are less likely to have these security gaps that place them and their customers at risk. Cloudflare maintains compliance with required and optional certifications and has pursued independent audits of its 1.1.1.1 DNS resolver service, where no applicable certification exists. Cloudflare also leverages security technologies such as end-to-end encryption, data localization, and Zero Trust access management to maximize user privacy and comply with the unique requirements of regional data privacy laws and regulations.
Weighing the risks and benefits
While the ROI of security investment can be difficult to calculate, the risks and benefits are clear. Weak cyber security practices mean a company will almost certainly experience a data breach sooner rather than later, and then the only question is the order of magnitude of dollars lost, reputational damage, and downstream harms to the individuals who trusted the company with their personal data.
Investing in security is almost always a good idea from a data privacy and risk management perspective. Minimizing the privacy risks of security investment amplifies its potential privacy benefits. Security and privacy leaders not only have the evidence of costly personal data breaches and security breaches on their side, but, when advocating for additional security investments, they can also shift this balance further in their favor by looking for solutions with good security, privacy, and compliance track record.
Privacy-led security is a core tenet of Cloudflare’s philosophy. Our Trust Hub speaks to our commitment to being as secure and transparent as possible by going the extra mile to demonstrate compliance with all applicable regulations and standards. Our products are designed to leverage our unique visibility into the cyber threat landscape and the latest security technologies to identify potential threats while minimizing access to sensitive data. Simplify and deliver security everywhere with Cloudflare.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about how Cloudflare enables more effective, more productive, and more agile data protection with the Unified protection for data everywhere brief.
Get the brief!
Author
Emily Hancock — @emilyhancock
Chief Privacy Officer, Cloudflare
Key takeaways
After reading this article you will be able to understand:
The importance of collaboration between security and privacy
The cost of underinvesting in security
The benefits of a privacy-led security program
Related resources: