Customer trust is critical to long-term business success. But it is dramatically undermined when organizations fail to protect their personally identifiable information (PII). One study claims that two-thirds (66%) of US consumers would not trust a previously breached company with their data. And three-quarters (75%) say they’re ready to cut ties with a brand in the aftermath of a cybersecurity incident.
The bad news is that breached customer PII is increasingly common, and costing firms dear, according to a new report from IBM. It’s time to focus on what matters, and roll-out data-centric security.
Customer loyalty is hard won today. But it can be lost in the blink of an eye. Despite investing heavily in cybersecurity, organizations are still getting compromised in great numbers. Threat actors have a variety of tools and tactics at their disposal – many of them provided “as a service” on the cybercrime underground. That makes it simple even for those without a technical background to cash-in on the insatiable appetite for stolen data.
For CISOs, defending against these attacks is becoming increasingly challenging. All it takes is a well-timed phishing email, an unpatched IT asset or a misconfigured cloud account and threat actors could have their hands on that customer or employee PII. The attack surface is simply too large for many organizations to effectively defend every port, application, IT asset and employee.
This is bad news because, according to IBM’s latest study, customer data is an increasingly popular target for threat actors. It claims that nearly half (46%) of all breaches over the past year involved customer PII such as tax identification (ID) numbers, emails, phone numbers and home addresses. After employee PII ($189), customer PII ($179) is the costliest data type per record, beating intellectual property ($173) and “other corporate data” ($171).
In effect, this means that it costs more to recover from the theft of customer email, address, tax and other information than it does from compromise of the organization’s most sensitive trade secrets. Part of this is down to the impact breached PII has on those customers. It’s usually sold on the cybercrime underground to scammers who use it in identity fraud such as account takeover or new account scams. This can harm credit scores and take significant time, effort and pain for the victim to resolve. A 2023 report claims that 16% of American identity theft victims have had suicidal thoughts following their experiences, up from just 8% in 2020.
It’s perhaps unsurprising, then, that many customers will decide to part ways with a breached company. Costs from “lost business” including customer churn rose 11% annually this year, according to IBM.
To add insult to injury, most organizations pass on the cost of their data breaches to customers. The share planning to do so this year increased from 57% in 2023 to 63%, according to IBM. A better idea would be to invest proactively in improved data protection, to minimise breach costs and preserve reputation and customer trust.
With a data-centric security approach, organizations implicitly acknowledge that – even with their best efforts – determined threat actors will always find a way through their defenses. But when they do reach data stores, they’ll find that customer PII is scrambled by strong encryption or tokenization – even if it’s being stored in the cloud. With technology like comforte’s Data Security Platform, organizations can roll out a comprehensive and consistent data discovery, classification and protection program across the entire enterprise – including hybrid and multi-cloud environments.
It’s time to protect what matters.