In an era defined by data, privacy is paramount. We have more game-changing technologies, and our world is more interconnected, than ever before. But with these advances come significant concerns about consumer and enterprise data privacy.
For individuals, there’s a web of online activities and myriad online privacy concerns to contend with. From identity theft and phishing scams to personal data use by tech giants, threats to internet users are everywhere. For businesses, the plethora of online privacy concerns is complicated by the legal and reputational costs of data breaches, regulatory compliance, third-party vendors, workplace training, and more.
In this blog post, we’ll offer a range of data privacy statistics that underscore the importance of safeguarding sensitive information at your organization. We’ll also explore a solution for strengthening data privacy in on-prem, cloud, and hybrid- and multi-cloud architectures.
We’ll start with the bad news. Threats to data privacy abound, and most of them are on the rise. Hackers have grown more sophisticated as governments and cybersecurity experts have tried to stop them, and cyberattacks have crippled organizations across the globe.
There are also more targets than ever before. Many organizations have massive digital footprints, from customer data collection to critical enterprise data. Threats to data privacy can be truly ruinous in this context.
The average cost of a data breach spiked between 2020 and 2021, likely due to the COVID-19 pandemic and the rapid switch to remote work without adequate security measures. But it’s continued to rise since, with the average breach costing $4.45 million last year. This cost was almost $1 million higher for organizations with a remote work model, suggesting that many companies still haven’t implemented sufficient authentication and access controls.
One of the most costly kinds of data privacy incidents is IP theft. In its recent report, the Commission on the Theft of American Intellectual Property noted that the theft of trade secrets costs the US economy between $180 billion and $540 billion annually, or around 1 to 3% of the GDP. For companies, the cost of IP theft also includes reputational damage, legal costs, loss of consumer trust, loss of competitive advantage, and regulatory fines (more about these below).
That’s 39 attacks in the time it takes to play the Beatles’ “Hey Jude.” Although the 11-second estimate was predicted by Cybersecurity Ventures for the end of 2021, it likely still stands today. Fueled by the rise of AI tools and RaaS subscription models, ransomware attacks are only becoming more frequent.
The result for businesses? Near-relentless threats to data privacy, particularly in double-extortion and encryption-less attacks.
One of the most common kinds of cybercrime, phishing is a type of fraud in which hackers send emails, text messages, or phone calls pretending to be from reputable companies in order to trick people into revealing personal information like passwords and credit card numbers.
In 2022, there were over 300,000 phishing victims in the US alone, with total losses topping $52 million. This is up substantially from the previous year; the rate of reported phishing attacks more than doubled from 2021 to 2022.
When we’re addressing data privacy concerns, it’s all too easy to point to outside threats as the only culprits. But an attack is only as successful as your organization’s security is weak. We write regularly about the role of human error in data breaches and other cyber incidents, so we know the importance of a security-conscious company culture in mitigating data privacy threats.
During ShardSecure CEO and Co-Founder Bob Lam’s presentation at the ISACA GRC 2023 Conference, we offered the audience several questions to learn more about privacy challenges at their organizations. When we asked who was responsible for data privacy in their workplace, 46% said a Chief Privacy Officer, 18% said a Chief Information Security Officer (CISO), and 10% said Chief Information Officer (CIO).
That left 26% who chose “other.” We imagine that those responses include established data protection roles like VPs in Information Security as well as more ad hoc arrangements where data privacy may be overseen by everyone — or no one — at a company.
With around half of organizations unable to identify where all their data is stored, it shouldn’t be a surprise that a lack of visibility — and an associated lack of protection — would be the top reason (23%) that data privacy and data security initiatives fail within organizations.
That said, it was a close race, with 22% of our ISACA survey respondents citing an immature data privacy program and 21% pinpointing insufficient staffing or training. The other reasons given were not practicing privacy by design (17%) and failing to address data privacy beyond compliance efforts (12%).
Whether malicious or just negligent, insider threats are a significant and growing risk. The 2022 Cost of Insider Threats: Global Report notes that both the number and cost of insider threat incidents rose over the previous two years, with costs per incident reaching more than $15 million. Meanwhile, the average time to contain an insider threat was 85 days — nearly three months — and the costs for threats that persisted past 90 days topped $17 million.
Not only are insider threats on the rise; they were also responsible for nearly a third of all data breaches over the past year. The issue can be particularly costly for enterprises in industries handling a great deal of sensitive or personal data, such as healthcare and finance. With their abundant resources and higher employee numbers, larger companies as a whole will spend an average of $10.24 million more on insider attacks than their smaller counterparts.
Although data privacy and security matter for much more than just meeting legal regulations, compliance is still an important piece of the puzzle. The regulatory landscape for consumer data privacy has grown increasingly complex over the last few years. Now, organizations must navigate myriad cross-border data privacy regulations in order to understand their legal frameworks and uphold ethical standards.
According to the Privacy Laws and International Business Report, 83% of countries have passed data protection and privacy legislation as of 2023. This is a rapid rise from 2020, when only 66% of nations had done so. Meanwhile, 20 more countries are currently drafting privacy bills. That means that data privacy rights for global consumers now extend to the vast majority of nations.
The big compliance news of 2023 was Meta’s staggering €1.2 billion fine. The penalty, issued by the Irish Data Protection Authority under the EU’s General Data Protection Regulation (GDPR), was over Meta data transfer practices that the EDPB called “systematic, repetitive, and continuous.”
Other top fines under data protection laws include:
In the absence of an official federal privacy law like the proposed American Data Privacy and Protection Act, some US states have begun passing their own statewide data protection regulations. The first was California, which passed the California Consumer Privacy Act (CCPA) in 2018. Since then, twelve more states have passed their own legislation: Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.
The regulations vary among states. Some, like Florida, have a very high threshold for applicability, meaning only a few tech giants will need to meet compliance. Others have stricter thresholds, with Texas’s Data Privacy and Security Act potentially affecting the largest number of businesses.
Cloud computing has become the backbone of modern data management — and of modern companies in general. The proliferation of cloud services makes it crucial to understand the unique challenges surrounding cloud data privacy. While cloud service providers generally offer their own security, the shared responsibility model and the reality of admin access can lead to gaps in your data protection.
A third of the governance, risk, and control professionals we polled at the 2023 ISACA conference chose Amazon Web Services as their preferred cloud provider, with Microsoft Azure coming in second at 24% and Google Cloud Platform at 8%. Notably, “two or more of the above” received 29% of the vote, indicating that multi-cloud architectures remain popular.
In our same ISACA conference poll, 57% of respondents said that they store their data in a hybrid combination of on-prem storage and a single cloud provider. Meanwhile, 22% chose an environment with on-prem storage and multiple cloud providers. Only 20% chose a solely cloud or multi-cloud architecture.
Although hybrid- and multi-cloud environments offer many benefits to companies, they can also complicate data management practices. The concern, of course, is that data privacy vulnerabilities may go unnoticed in more complex environments.
More and more organizations are migrating their data to the cloud to leverage its flexibility and cost savings. But with that move comes some new risks. Although cloud security providers offer some level of security, gaps in understanding the shared responsibility models can leave some organizations under-protected and vulnerable in the cloud. It’s a common problem; 80% of companies have experienced at least one cloud security incident in the last year.
According to the Pew Research Center, around six in ten US adults (61%) say that privacy policies are not very effective or not at all effective in communicating how companies are using people’s data. There’s a general lack of trust and a sense of cynicism around how businesses handle personal data — from credit card and financial data to social security numbers to individual buying habits. Little surprise, then, that 68% of social media users have changed their online privacy settings, while a similar percentage have turned off cookies and other website tracking.
This lack of trust goes well beyond social media companies and can have real-world implications for many businesses. Almost half (49%) of US adults say they have stopped using a digital device, website, or app because they were worried about how their personal information or user data was being handled.
To gain consumer trust, organizations need far better data privacy protection — and far clearer communication around data processing practices. While data privacy laws will eventually require most companies to make smart data privacy investments, it doesn’t hurt to get ahead of the pack now.
In a world where data is both a valuable asset and a potential liability, the statistics paint a clear picture of the challenges and opportunities we face. We’ve examined the landscape of data privacy, cloud security, organizational efforts, and regulatory compliance — but we’re just scratching the surface of what it takes to keep your data safe.
ShardSecure was recently named a 2023 Gartner® Cool Vendor in Privacy. Our platform provides advanced data privacy, security, and resilience, offering an innovative approach to file-level encryption that renders sensitive data unreadable to third parties. ShardSecure also meets the European Data Protection Board’s requirements as a supplemental technology to enable cross-border data transfers under the GDPR.
While many data privacy and security technologies sacrifice speed and functionality for thorough protection, ShardSecure involves minimal performance drawbacks and does not require agents. To learn more about the ShardSecure platform and how it can benefit your company’s data privacy and protection efforts, visit our resources page.
What Is the Cost of a Data Breach in 2023? | UpGuard
What Is Intellectual Property Theft, and How Can Manufacturers Prevent It? | ABI Research
Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021 | Cybersecurity Ventures
More Than 40% of Companies Don’t Know Where Their Data Is Stored | Lepide
31 Insider Threat Statistics You Need to Know in 2023 | Tech Report
Global Data Privacy Laws 2023: 162 National Laws and 20 Bills | SSRN
Data and Privacy Unprotected in One Third of Countries, Despite Progress | UNCTAD
Shining a Light on the Florida Digital Bill of Rights | Future of Privacy Forum
50 Cloud Security Stats You Should Know in 2023 | Expert Insights
How Americans Protect Their Online Data | PEW Research