A breakdown of cybersecurity spending that allows companies to benchmark and build strategies to mitigate cybercrime without losing consumer trust.
Key Takeaways
Key Takeaways
A company’s cybersecurity strategy affects brand perception and consumers’ willingness to trust and engage with brands. Consumers lack faith as many expect that a data breach involving their information is inevitable. As the number of cyberattacks grows, departments across a company will need to participate in responses to these assaults.
This research breaks down cybersecurity spending that allows companies to benchmark their own outlays. Also, strategies companies can use to mitigate cybercrime without losing consumer trust.
Cybersecurity spending will grow over the next few years, as 69% of IT execs expect to increase cybersecurity outlays in 2022, while only 15% plan a decrease.
- Cyberattacks and responses to them are on the rise. The frequency and severity of cyberattacks—and company spending related to them—will grow steadily over the next few years. These attacks are motivated by both financial and geopolitical concerns, requiring companies to improve responses across departments.
- Privacy and cybersecurity go hand in hand. Companies should address cybersecurity threats in coordination with data protection issues. These two issues are becoming more intertwined in terms of practice overlap and regulations.
- Cybersecurity is far from an IT-only issue. Attacks can shatter a brand’s reputation and damage consumer trust. Marketers and other departments have just as much to gain by working on cyber issues as the IT department.
How Big Is the Problem?
Cyberattacks are commonplace and increasing in volume—especially since the onset of the pandemic. Accordingly, cybersecurity is no longer just an IT concern: Marketing, public relations, and legal departments also must deal with the consequences of data breaches.
About a third of US and UK C-suite executives surveyed by Opinion Matters in September 2021 worry about the loss of data or intellectual property or reputational harm resulting from a ransomware attack.
Hackers prey on a variety of industries, but banking, payment services, and dating apps top the list of the industries targeted in social media cyberattacks worldwide, according to a February 2022 report from PhishLabs. Products from companies in these industries are often heavily used by firms in other sectors, meaning cyberattacks can affect a slew of consumer-facing brands.
A company’s cyber policy is closely linked to privacy and data protection policies—both are growing in importance. New technologies and the rise of remote and hybrid work will only increase risk. Ramifications like lost intellectual property, broken internal systems, and disrupted workflows are only part of the risk.
Reputational harm and lost revenue are two of the biggest consequences companies face in wake of cyberattacks. Scripps Health reported a $112.7 million loss in revenues after a May 2021 cyberattack, and a 2021 CSI survey found nearly half of respondents would leave their financial institution in the wake of a data breach.
Companies that experience data breaches also suffer significant potential legal repercussions—with new potential regulations on the way.
- Fines can add up quickly the violation of state regulations such as the California Consumer Privacy Act and the California Privacy Rights Act, which were some of the first data protection laws in the US. Other states like New York, Colorado, Connecticut, Utah, and Virginia followed suit. In June, New York fined Carnival Cruise Line $5 million for lapses in cyber technology and training, as well as its failure to disclose a data breach in a timely manner.
- The EU’s General Data Protection Regulation, one of the world’s most comprehensive privacy regulations, is also resulting in significant fines for several multinational companies.
- The FTC recently announced it was exploring new rules governing “commercial surveillance and lax data security.” The FTC said new regulations would allow it to “establish clear privacy and data security requirements across the board” and to fine companies found to be in violation of them.
Increased global tensions raise the risk of cyberattacks. Ransomware attacks are usually financially motivated and conducted by non-state actors. But that’s less true now thanks to geopolitical issues like the conflict in Ukraine and China’s interest in Taiwan. The economic uncertainty resulting from those issues also contributes to the growing number of threats experienced by companies. And it’s not just big companies facing these perils: Even small businesses with under 10 employees are targeted.
In fact, nearly half of North American and Western European IT and cybersecurity experts said their organizations experienced ransomware attacks at least once per month, according to a January survey from data protection service OwnBackup.
There is an inherent problem with both internal and external communication around cybersecurity. Companies have yet to figure out a best approach. Many fail to notify those affected by incidents, despite legal requirements requiring them to do so in some jurisdictions.
Companies should strike a careful balance between proactive and reactive communications, as a proactive approach might spark consumer fears that were not there before.
Cybersecurity Spending
Cybersecurity Spending
Global spending on cybersecurity by companies increased to around $150 billion in 2021, up 12% year over year, according to Gartner. The company expects spending could reach as high as $1.75 trillion by 2025.
Most organizations increased budgets in response to increased threats. According to PwC’s “2022 Global Digital Trust Insights Survey,” 69% of organizations predicted their cybersecurity spending would increase in 2022, while only 15% expected a decrease. More than a quarter of the companies surveyed expected to increase cybersecurity budgets by at least 10% in 2022.
The average cybersecurity budgets are highest among companies in the pharma, telecom, and retail sectors, according to IT and business decision-makers in the US and UK surveyed by Vanson Bourne in November 2021.
What Consumers and Companies Are Thinking and Doing
The rise of cybersecurity threats is changing the behaviors of both consumers and companies.
Trust Among Consumers Is Eroding
The increase in interactions between consumers and brands on a variety of tech platforms—such as mobile apps, smart devices, and even vehicle infotainment systems—is also increasing the average person’s exposure to cybersecurity attacks.
Trust in major technology companies is relatively low. Companies in sectors as disparate as banking, healthcare, and retail and ecommerce are all subject to damaged consumer perceptions if their cybersecurity strategies are not up to snuff.
Data from The Washington Post and George Mason University shows consumers’ trust is relatively low when it comes to companies and services like Facebook, Google, and Amazon handling their personal information and data responsibly.
Only 19% of consumers worldwide believe their healthcare data is safe from hackers, according to IT firm Axway. This number is probably even lower for other types of data, considering that consumers are much more aware of regulations around health data. Factors like the pandemic and the current economic uncertainty likely contributed to this low confidence.
Privacy and security efforts should go hand in hand for companies that store or share data. With the end of many third-party data collection practices, companies are storing or sharing more first-party data than ever. But this shift can easily lead to more points of vulnerability in data practices and more potential security risks.
A proactive approach to data privacy is a competitive advantage, especially since US regulations remain fragmented and inconsistent. Brands can work on their own standards to build consumer trust.
Companies should consider the steps consumers are actually taking to protect their data when designing procedures and communication. The most frequent security actions by consumers include keeping software up to date and using different passwords for different accounts. The use of VPNs and encrypted messaging platforms is rarer. Reducing the burdens placed on the consumer will build better brand trust.
But, consumers also consider some security measures annoying. Brands need to go beyond technical requirements and consider the user experience of security protocols to really change behaviors and build loyalty. According to a September 2021 survey from FICO, over one-third of banking customers worldwide found authentication methods irritating.
Companies must consider the consumer experience when implementing technical fixes to security flaws. Solutions that create friction and don’t have clear value to users risk alienating them. These issues should be considered at the early stages of designing solutions to new problems. Further, companies should remain attuned to customers’ feelings about existing solutions.
What Companies Are Doing to Prepare
In the absence of regular outreach to consumers for feedback on cybersecurity practices, there is often a disconnect between what the company is doing and what the consumer thinks is happening. Since cybersecurity has historically been siloed within the IT department, there’s often a similar disconnect within a company among departments. It’s important to shrink these gaps in understanding as threats grow.
Marketing and communications departments must now address technical data issues and not just ones related to reputation and consumer trust. This will happen more frequently as privacy practices grow in complexity and overlap with security. According to a survey from Duke University’s Fuqua School of Business, nearly two-thirds of US CMOs have promised not to sell customers’ personal information and ask for consent before using customer data. But only a bit more than one-third had developed a brand privacy policy.
Marketers are adjusting both their privacy communications and their data handling practices. Companies used to include information on privacy actions in their environmental, social, and governance reporting as a bare minimum. But many are now doing more than that. Some are making privacy the center of entire advertising campaigns. At the same time, some are implementing customer data protection practices that can include the use of data relationship management programs and data clean rooms.
- Companies should address any disconnect between consumers’ perceptions about their data practices and the reality. In January, Boston Consulting Group reported 57% of consumers believe companies are selling their data, while few brands actually consider themselves to be doing so.
- Data privacy has been at the center of several marketing campaigns over the last few years. Apple launched an ad campaign earlier this year designed to educate consumers about their data protection and security practices. The campaign ran on billboards as well as on social media video sites.
The ongoing shift to first-party data will lead to new security problems. As companies end their use of third-party identifiers, data clean rooms are becoming a popular way to fully leverage first-party data by combining it with data from outside sources. Data clean rooms are online platforms where companies can share data with advertisers safely without violating privacy practices.
In theory, these clean rooms don’t expose any sensitive consumer data, but in practice, the involvement of more players and locations creates more security risks. As a result, companies should strive for consistent, well-aligned security practices and privacy standards.
Companies should improve cybersecurity training. Only 53% of IT and cybersecurity experts in North America and Western Europe engaged in ongoing security training for employees, according to January data from OwnBackup, and less than one-third were using more comprehensive prevention exercises.
Less than 40% of UK and US C-level executives have safeguards like ransomware insurance and response plans in place. Ransomware attacks can damage a company financially, reputationally, and even legally if laws in the US go through that would effectively ban companies from making ransomware payments. Policies and nonsensitive plans should be made publicly available through a company’s website.
Walmart is an example of a company that’s heavily investing into offensive cybersecurity capabilities. In 2018, the company publicly launched its cutting-edge bug bounty program, which is still in effect today. It also created a clear security policy publicly listed on its website and continues to collaborate with security researchers.
Despite challenges, companies are successfully thwarting a good portion of cyberattacks. According to Accenture, just over 10% of attempted attacks are successful. The scale and impact of successful data breaches often overshadow positive efforts made by companies. So, transparency around this would benefit brands
One of the major challenges faced by governments and companies is the global skills shortage in cybersecurity. The global cybersecurity workforce would need to grow by 65% to effectively defend organizations, according to the (ISC)²’s 2021 cyber workforce report. Cybersecurity roles require not just technical qualifications but also experience in other areas, as well as the ability to collaborate across the entire organization. Companies should proactively develop training programs and educate younger employees.
How Companies Have Responded to Breaches
Klarna
KlarnaBuy now, pay later firm Klarna suffered a cybersecurity incident in May 2021. But the event resulted from an internal mistake, not an external attack, that let users log in to each other’s accounts.
- Klarna responded by fixing the visibility of the affected data within 31 minutes. It was forced to temporarily shut down its service as it fixed the technical problem.
- However, the company failed to communicate clearly and openly at the time of the incident, likely leaving many users with questions and damaging trust in the company.
What’s the takeaway? Cybersecurity issues are not limited to external attacks and can result from internal technical problems. While Klarna fixed the actual issue quickly, communicating with customers would have strengthened trust.
Robinhood
Fintech trading platform Robinhood suffered a social engineering cyberattack from a hacker in November 2021. The malicious actor, via a phone call, effectively tricked a customer service employee into giving them access to Robinhood’s customer support systems.
- Attackers accessed more than 5 million email addresses and 2 million names. In addition, a smaller set of more specific customer data was accessed for about 300 customers. The type of information accessed is often used by hackers for subsequent attacks, like phishing.
- Despite the fact the company secured its systems, attackers still attempted to extort a payment from it. In a blog post, Robinhood said it had reported the incident to law enforcement and enlisted Mandiant, a security firm, to investigate.
- The blog post outlined the incident and the company’s response and was updated several times. Robinhood maintained transparency and kept a public record of events that customers could access.
What’s the takeaway? Cybersecurity attacks are often socially engineered. Companies should be up to date on social attacks, particularly among employees with direct access to systems containing customer data, such as customer service. Robinhood did a good job of communicating transparently with consumers through a blog post housed on their website. This added to the perception that Robinhood took responsibility, instead of relying on third parties and press releases.
What Should Non-IT Leaders and Departments Do?
A successful cybersecurity strategy requires participation across several departments besides IT, including marketing and communications, especially when it comes to addressing cybersecurity risks as threats grow in frequency and complexity. Furthermore, the entire C-suite and board will have to actively prioritize strategy and response planning.
Communicate and Educate
It’s critical for companies to effectively communicate their efforts to mitigate cybersecurity risks with consumers. Brands need to make customers aware of company actions so they feel safe sharing their personal information.
This should be done thoughtfully to avoid scaring the consumer, instead making it clear the company cares about data safety practices. This is especially important in the event of a data breach. Open communication about what happened and what a company learned should become standard practice.
Involve Marketing Early and Often
Marketing teams need to pay close attention to cybersecurity initiatives—starting with the CMO. That’s because cybersecurity affects several issues that marketing often owns, including consumer perception, customer journeys, and data usage.
Marketing teams should actively participate in the development and rollout of cybersecurity and privacy initiatives. They should also work with other departments on consumer-facing communications around these issues. Marketing is best suited to deliver information to consumers and is key to ensuring the messages don’t unintentionally create an even bigger problem.
Pick Vendors Carefully
Choosing a cybersecurity vendor requires a holistic approach with input from all departments, not just IT. If marketing or product leaders aren’t involved, it’s likely a sign that more internal communication is needed.
Tools should work for everyone across departments, and they should be reviewed regularly to make sure they’re still meeting the company’s needs.
Relieve Your Customers of the Burden
New cybersecurity practices can quickly overburden consumers if they’re inefficient or a bother. Make sure you’re taking customer satisfaction into account during the process by soliciting feedback from them. Make choices that consider the experience of the customer, and take on the heavy work internally.
Care About the Customers’ Data, Not Just Intellectual Property
Consider having a data protection officer (DPO) role in addition to a chief information security officer (CISO). Generally speaking, a CISO is responsible for maintaining the security of the organization’s technology stack, while a DPO is responsible for maintaining compliance for personal data handling and processing. In countries with stronger privacy regulations, the DPO is an important player for limiting cybersecurity risks since the lines between privacy and security continue to blur. A company can’t address security risks without having an effective data protection practice in place to begin with.
Companies should not wait for the US government to standardize privacy requirements but, instead, create their own based on consumer interests. Addressing risk at the data privacy level will help to decrease vulnerabilities and the severity of the effects of attacks.
Bring It to the C-Suite
The more interaction between C-level executives and cybersecurity teams, the better. This will help integrate cybersecurity practices with other functions and increase visibility at the top for a holistic approach.
Strong C-suite involvement will help companies address the root issues of risks, instead of just treating the symptoms. Executive buy-in is needed to steer cybersecurity priorities and ensure effective communication from the C-suite should a breach occur.
