A current report from Cisco has found that at least two-thirds of companies are losing sales as a result of increasing concern about privacy among consumers. Such concern has caused delays in sales and, in some cases, loss of clients.
It’s an ongoing problem that’s been plaguing large corporations and small businesses alike for years. Some of the most significant data breaches of the century have included a state-sponsored attack that impacted 3 billion user accounts.
Back in 2013, retail giant Target discovered that hackers had gained access to the debit and credit card information of 40 million of their customers, a figure that was later amended after an investigation revealed that up to 110 million were actually affected by the attack.
More than 45 major data breaches at large companies were reported last year. They included Xbox 360 ISO, Arby’s, Verifone, Sabre Hospitality Solutions and UNC Health Care. One of the most disturbing cases was that of Saks Fifth Avenue whose customers’ information was available in plain text on a page of their website where customers could join a wait list for products.
Experts anticipated that the tens of thousands who had their personal data made public were likely to be targeted by malware scams and phishing.
Later in the year, Chipotle posted a Notice of Data Security Incident on its website after unauthorized activity was detected and they suspected that card-based transactions between March and April could have been collected by hackers.
The US Secret Service recently verified that it is investigating a data breach at Sears Holding Corp wherein hackers hijacked customer payment cards at Kmart locations across the country.
In some of these cases, it isn’t immediately apparent whether customers’ information has been compromised, but companies have a responsibility to inform their patrons of the possibility that their information has been exposed to cybercriminals.
Such privacy concerns are leading to substantial sales delays for upwards of 65% of global businesses. The Cisco 2018 Privacy Maturity Benchmark Study is aimed at addressing these concerns and stressing the importance of privacy maturity.
Maturity models are a viable means by which companies can assess their progress against established benchmarks. The study reflects the fact that such a privacy paradigm is linked to smaller losses from cyber-related disruption.
74% of companies without proper cybersecurity measures in place have lost in excess of $500,000 within the last year. All of those losses shared a corollary—data breaches. Only 39% of privacy-mature companies experienced these kinds of losses.
There are many cybersecurity solutions available to businesses and many of them are easy to implement. By utilizing virtual private networks (VPNs) with military-grade encryption, companies can prevent their computer systems from being targeted by malicious software. VPNs can also protect company information from being shared with third party entities since they hide a user’s IP address.
By installing a vendor risk management program, performing internal audits, limiting user access to sensitive materials and keeping an eye on internet statistics and threat trends, companies can fortify their operation and assure their customers that they’re in good hands.
In Europe, Parliament has created GDPR (General Data Protection Regulation) to strengthen and streamline data protection for all persons within the EU (European Union). GDPR is designed to give control back to citizens when it comes to their personal data.
The regulation, which will go into effect in May, mandates that data protection measures are built into the development of business processes for all products and services. It also mandates that companies conduct Data Protection Impact Assessments when specific risks to people’s data occurs.
Under the GDPR, entities will be required to appoint data protection officers to ensure that they are in compliance with the regulation. Prior consent must be obtained before data can be collected and they must be transparent about the purposes for collecting said data.
As mentioned earlier, encryption is called for, in this case a form of cryptography called pseudonymization which transforms personal data so that it is not attributable to the individual without additional info being provided.
Entities will be legally obligated to report data breaches to the Supervisory Authority without any unreasonable delay. This applies to customer/client data as well as business-related data.
Any infringement of the regulation’s provisions will result in a steep penalty with certain provisional infringement being punishable by a fine of as much as 20,000,000 EUR or 4% of an entity’s annual global turnover.
Similar regulations have been made in the United States with New York’s Superintendent of Financial Services enforcing 23 NYCRR Part 500, cybersecurity requirements intended to regulate financial services.
No doubt in response to the tens of millions of dollars that hackers siphoned from the Federal Reserve Bank of New York, 23 NYCRR Part 500 calls for a CISO (Chief Information Security Officer) to oversee information assets and execute risk assessment.
Network monitoring, dedicated encryption, written policies, data governance to disaster recovery planning and environmental controls are among the measures that entities will be expected to take to comply with the regulation. In these ways, and others, NYSFS believes that financial institutions can better preserve the integrity of their customer’s personal details and assets.
While there will probably be some push back from smaller outfits with dwindling budgets, the regulation should be embraced by those who want to keep their clients and their colleagues from going elsewhere.
Given the volatile nature of the cybersecurity climate and the footprint that sophisticated cyber crimes have left on the global economy, it is likely that such regulations or legislation will be adopted by other states and countries in the years to come.
With the rise of firmware, fileless infections, ransomware and skimmers it is high time to shield your business or home PC from the constant onslaught of cyberattacks. Abiding by cybersecurity regulation will not only keep businesses and banking institutions safe and secure but will prove to customers that companies have their best interests in mind.
(117)
