Turning data protection and privacy to a competitive advantage

5th April 2016 | Will Parton

Symantec’s annual threat report shows how GDPR will shake up security.

We’ve just leafed through Symantec’s latest Internet Security Threat Report and one thing’s clear: personal information is now a top priority. Customer data is the prize – whether we’re talking about the hackers trying to steal it, the businesses trying to defend it, or the individual consumers trying to retain control over it.

Hackers are now more persistent and devious, but customers are also waking up to the need to understand how their information is being used and how well it’s being stored and protected. Symantec found almost half (49%) of Britons are worried their data isn’t safe, while the clamouring for brands to protect customers from scams is becoming hard to ignore.

With data breaches getting larger every year and striking even the most trusted companies, organisations know competitiveness is increasingly tied to safeguarding customer data. Meanwhile, the EU’s General Data Protection Regulation (GDPR) is looming on the horizon and poised to redefine data privacy approaches from 25th May 2018.

As Ilias Chantzos, senior director in government affairs at Symantec, says: “There is a real consistency emerging that privacy is a competitive advantage for businesses and that privacy concerns also determine consumers’ behaviour. It is critical to ensure consumers are empowered to understand what their data is being used for and how it is protected”.

The impact of data breaches in 2015

When it comes to the data breach status quo, the numbers drawn from Symantec’s cyberintelligence network are jaw-dropping and eye-watering.

Symantec’s findings show no one is safe: public or private, enterprise or start-up, any organisation can find itself in the hackers’ sights. Cybercriminals are becoming ever more professional, sophisticated and targeted in their attempts to expose valuable data.

Of course, a lack of cyber-awareness among employees can prove just as dangerous as the external threat of facing skilled hackers. Symantec also found that 48% of data breaches were caused by accidental exposure, such as sharing information with the wrong people. Even organisations with robust security systems in place are struggling to guard against human error.

2015 could easily be called the year of the mega-breach, with nine attacks exposing more than 10 million records each. The end of the year also saw the largest single breach ever publicly revealed: a staggering 191 million US voter records were compromised due to an incorrectly configured database.

In total, the number of exposed identities reported leapt to 429 million, a rise of 23% year on year. However, what’s perhaps even more disturbing is the numbers we aren’t hearing. Compared to the previous year, 85% more organisations chose not to report how much information was lost. A conservative estimate of the actual number of compromised records puts the figure at half a billion or more.

Here are some of the major trends that grabbed our attention:

  • Attackers don’t give up after the first attempt fails: on average, they will try three more times during the year.
  • Spear-phishing campaigns are relentlessly targeting employees as the weakest link in the security chain, with attack volumes up 55%.
  • More than a million new pieces of malware are being written every day, often seeking to exploit previously unknown, zero-day vulnerabilities.
  • With ransomware attacks rising 35% year on year, many attackers aren’t even waiting to exfiltrate data to exploit its lucrative potential.

Preparing for GDPR

With Symantec’s latest report making for troubling reading, what should we expect when GDPR shakes up the security status quo and what steps do you need to consider taking?

GDPR will end the days of keeping breaches quiet: organisations offering goods or services in any one of the 28 EU member states will have a legal obligation to report data breaches within 72 hours. While GDPR’s fines for non-compliance often dominate the headlines, organisations shouldn’t underestimate the impact that publicising breaches will have on brand reputation and customer loyalty.

As customers become ever more concerned with what information organisations have, how it’s being used and whether it’s protected, privacy and security will rapidly become a source of competitive advantage. To be successful in this changing market, organisations will need new capabilities – like quickly and efficiently responding to consumer queries to view or port their data.

The British Brands Group recently found that trust is a central driver behind purchasing, loyalty and price tolerance; overall, the most trusted brands achieve twice the market share of competitors. Of course, the reverse is also true: untrustworthy organisations that are regularly breached will, in all likelihood, fall behind.

Organisations need to show customers they don’t just protect their data, but add real value by harnessing it. In turn, customers will be more willing to share – creating a virtuous circle that can drive business success. For instance, services can be made more agile: customer data could allow an authenticated and secure communications channel to be set up immediately for voice, email or text, adding value to both the individual and the business.

Turn privacy to your advantage

GDPR compliance can be seen as a catalyst for businesses to improve security, rather than simply as a cost to bear. It can create an atmosphere of trust that allows organisations to attract and retain customers and enables them to use their data to drive mutual benefits.

When compliance is seen as a business differentiator rather than a tick-box, organisations can generate fresh market opportunities. Businesses that adopt secure communications technologies to protect customers from scams and improve the customer experience will see more purchases and recommendations and, one might argue, even can command higher prices.

Today, it’s possible to harness tools like encryption and data loss prevention with minimal cost and complexity, allowing organisations to identify, isolate and protect customer data more effectively. After all, without the technology to understand who’s using personal information and for how long, CIOs will find it extremely difficult to quantify their risk exposure and proactively defend customer data.

While every business will need to judge the risks and rewards of the investment in data privacy for itself, GDPR offers an outstanding opportunity to turn necessary compliance costs into a tangible competitive advantage – for those willing to seize it.