Good privacy is good for business, so pay attention

Data privacy concerns are causing significant sales cycle delays for up to 65 percent of businesses worldwide, according to findings in the new Cisco 2018 Privacy Maturity Benchmark Study.

The study shows that privacy maturity is connected to lower losses from cyberevents: 74 percent of privacy-immature organizations experienced losses of more than $500,000 last year caused by data breaches, compared with only 39 percent of privacy-mature organizations.

Privacy maturity is a framework defined by the American Institute of Certified Public Accountants (AICPA) and is based on Generally Accepted Privacy Principles (GAPP).

The study surveyed nearly 3000 global security professionals in 25 countries regarding their privacy maturity and any effects of data privacy on their business. A surprising two-thirds of respondents indicated that data privacy was causing delays in their sales cycles, with an average estimated delay of 7.8 weeks.

The pending May 2018 enforcement of the GDPR, the new law enacted to increase protections of EU citizens’ privacy and personal data, might also be a factor in these delays. Customers are increasingly concerned that products and services they buy provide appropriate privacy protections. GDPR’s provisions apply to any company that processes, stores, or uses this data.

Respondents were asked to assess their current privacy maturity level, according to the standard AICPA model, which defines five privacy maturity levels: ad hoc, repeatable, defined, managed, and optimized. The study found that:

• The average sales delay for those with ad hoc maturity was 16.8 weeks, but delays decreased for businesses with higher privacy maturity levels.
• Businesses with optimized privacy processes reported 3.4 weeks of sales delay, which is an 80 percent reduction compared to ad hoc organizations.
• Geography and industry also appear to play a significant role in the length of delay.

Given these widespread and significant delays, every company should assess its own situation to evaluate where customer privacy concerns might postpone business. Aside from legal compliance, depending on the potential revenue effects and their current privacy maturity level, companies should explore the return on investment of privacy process improvements and the beneficial effects that deploying such measures could have on sales.

“Although organisational awareness of potential attacks is on the rise, online criminals are finding new and creative ways to dupe people into compromising sensitive financial and personal data. This means that unusual behaviour is getting harder to detect and might not seem unusual at all. And with employees on the front line of this battle, more must be done to improve user awareness and training – especially of regulations like GDPR which should help gain more control of the data we all hold. Upskilling employees and making them more cyber aware is one of the most cost effective ways of reducing the probability and impact of human error,” Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK and Ireland, told Help Net Security.

Data privacy concerns drive sales delays

• Companies in the government and healthcare sectors exhibited the longest average sales delays – 19 weeks and 10.2 weeks, respectively – compared to other industries.
• Companies in the utilities, pharmaceuticals, and manufacturing sectors reported the shortest average delays, all 3 weeks or less.
• By geography, Latin America and Mexico are experiencing the longest sales delays, at 15.4 weeks and 13 weeks, respectively.
• China and Russia have the shortest delays, at 2.8 weeks and 3.3 weeks, respectively.

Privacy-mature organizations experience shorter sales delays

• The average sales delay (in weeks) by privacy maturity stage were as follows: ad hoc (16.8), repeatable (9.8), defined (5.1), managed (4.4), and optimized (3.3).
• Since organizations in the defined stage experienced 70 percent shorter sales delays vs. those in the ad hoc stage, companies might benefit significantly from moderate improvements in privacy maturity. Those that are “optimized” saw 80 percent shorter delays.

Privacy-mature companies experience fewer breaches and smaller losses from cyberattacks

• Overall, 53 percent of respondents reported losses greater than $500,000 related to cyberattacks in the last 12 months.
• Privacy-immature companies (i.e., ad hoc stage) had the highest percentage (74 percent), with the percentage decreasing with increasing privacy maturity. The other levels were repeatable (66 percent), defined (49 percent), managed (43 percent), and optimized (39 percent).

Practical advice

Given the potential effects of these delays on sales and revenues, Cisco advises organizations to take the following steps:

Measure current delays: Assess the scope of sales delays due to data privacy issues and understand how much sales revenue might be affected by the delays.

Assess root causes: Portions of a delay may be caused by sales teams being unable to address customer concerns, incomplete or inaccessible corporate policies, or engineering/design issues. Executives need to know root causes to determine resolutions.

Establish ongoing metrics and targeted initiatives: Regularly measure and track the sales delay metric, and set priorities for appropriate investments to reduce the delays.

Explore effects on cyber losses: Assess the cause of any data breaches and losses that might have been avoided through more mature data privacy processes.

Develop a data privacy and protection plan: If such a plan does not currently exist, plan to create policies and protocols that contribute to good security hygiene.

“The key to effective cyber security is to understand that vulnerabilities don’t solely originate with technology, but with people. Consider the modern flexible employee – accessing company information on the move, carrying everything they need on mobile devices, and working with sensitive data every day, regardless of job function or department. Employees are on the frontline of the cyber security war, and organisations therefore need to look beyond the IT department to establish good cyber-security awareness and practise across the organisation,” said

“However, organisations should not neglect the importance of investing new technologies such as analytics or artificial intelligence. It is only by pairing such tools with strong, all-encompassing training programmes, that organisations can best safeguard themselves and their customers from the many threats of today. The key to driving this dual approach will be working with trusted partners who have deep expertise in cyber security and executional nous to match,” said James Longworth, Head of Solution Architecture at Insight.