The 2023 Benchmark survey of security pros worldwide found that companies are taking action on customer privacy, but transparency is key.
Cisco’s 2023 Data Privacy Benchmark Study found that companies that invest in closing the gap are benefitting: The study found that the estimated dollar value of benefits from privacy rose more than 13% in 2022 to $3.4 million from $3.0 million the year before, with significant gains across the various organization sizes.
However, 92% of respondents said their companies need to do more to protect consumer data. This finding is about the same as last year, when 90% of respondents expressed that opinion.
SEE: New cybersecurity data reveals persistent social engineering vulnerabilities (TechRepublic)
Cisco: Investing in protecting consumers’ privacy pays dividends
Cisco’s sixth annual 2023 benchmark is a double-blind study based on a survey of over 4,700 security professionals in 26 countries. This survey found that, economic headwinds notwithstanding, organizations are investing in privacy, with spending up significantly from $1.2 million just three years ago to $2.7 million this year, on average, which is a 125% increase.
A Cisco blog about its 2023 Data Privacy Benchmark Survey said its estimated $3.4 million value of benefits from privacy initiatives constituted 1.8 times spending on privacy, with 36% of organizations getting returns at least twice their spending. The study noted that 30% of respondents in the U.S. identified privacy as a job responsibility (Figure A).
Nearly three quarters of organizations Cisco surveyed said they were getting “significant” or “very significant” benefits from privacy investments. These included building trust with customers, reducing sales delays and mitigating losses from data breaches. Some 94% of all respondents indicated they believe the benefits of privacy outweigh the costs overall.
Almost all companies reporting privacy metrics to leadership
Almost every organization (98%) said they are reporting one or more privacy-related metrics to the board of directors, per Cisco, with the average number of privacy metrics at 3.1, up from the 2.6 metrics reported in last year’s benchmark survey (Figure B).
The most-reported privacy metrics include:
- The status of any data breaches.
- Impact assessments.
- Incident response.
Privacy legislation continues to be very well-received around the world. Seventy-nine percent of all corporate respondents said privacy laws have had a positive impact, and only 6% indicated that the laws have had a negative impact.
Companies can do more to reassure customers about privacy
Ninety-two percent of respondents to Cisco’s survey said their organizations need to do more to reassure customers about their data, and organizations’ privacy priorities differ with those expressed by consumers. The study also found:
- 90% said global providers are better able to protect their data compared with local providers.
- 94% of organizations said their customers won’t buy from them if data is not properly protected.
- 95% said all their employees need to know how to protect data privacy.
Still, a look at Cisco’s 2022 Consumer Privacy Survey suggests a persistent disconnect between data privacy measures by companies and what consumers expect from organizations, especially regarding how organizations apply and use artificial intelligence (Figure C).
Consumers are willing, sort of, to give AI the benefit of the doubt
Last year, Cisco issued a responsible AI framework and principles for responsible AI, in which the company stated it “informs customers when AI is being used to make decisions that affect them in material and consequential ways. Customers and users can then inform us of their concerns or let us know when they disagree with decisions.”
SEE: How does data governance affect data security and privacy? (TechRepublic)
In the 2022 Consumer Privacy Survey referenced above, Cisco reported that consumers showed some willingness to share data for AI models but are dubious on how that data will be used:
- 43% of consumers said they thought AI could be useful.
- 54% were willing to share anonymized personal data to improve AI products.
- 60% expressed concern about the business use of AI.
- 65% said they had already lost trust in organizations over their AI practices.
Consumers also said the top approach for making them more comfortable would be to provide opportunities for them to opt out of AI-based solutions. Only 21% of organizations participating in this year’s 2023 privacy benchmark survey said they would put in place ways for consumers to opt out of AI opportunities.
How organizations are mediating the AI relationship
Cisco’s 2023 privacy study suggests that organizations are taking steps to make consumers more comfortable with AI:
- 63% of organizations said they are ensuring a human is involved in the process.
- 60% said they are explaining how the AI application works.
- 55% are adopting AI ethics principles.
- 53% said they are applying an AI ethics management program to identify and reduce unintended bias.
- 47% said they are auditing for bias.
Cisco recommends baking in transparency, privacy and AI ethics
With exponential increases in the use of AI-driven metrics and business intelligence, based on the study’s findings, Cisco has recommendations toward improving organizations’ trustworthiness and maximizing the benefits of privacy investments:
- Invest in privacy throughout the organization, especially among security and IT professionals and those involved directly with personal data processing and protection.
- Bake transparency into customer communications around how customers’ personal data is being used. Pointedly, compliance should be considered table stakes and transparency a business imperative because it is the key to trust, per Cisco.
- Ensure that AI design walks lockstep with AI ethics principles, and that there are preferred management options to reassure customers, deliver greater transparency to the automated decision and ensure that a human is involved in the process when the decision is consequential to a person.
- Consider the costs and consequences of data localization and recognize that local providers may be more expensive and degrade the functionality, privacy and security of data than global providers operating at scale.
Read next: Artificial intelligence ethics policy (TechRepublic Premium)
Source link In recent years, organizations have poured resources into protecting their customers’ privacy. With the threat of high-profile data breaches looming, business leaders are investing heavily in the latest security technologies to protect their customers’ data.
Organizations may possess the most up-to-date security technology and knowledgeable experts, but is that enough? Do customers actually understand and know the measures companies are taking to protect their data? It is likely that few customers fully recognize the steps that their organizations are taking to maintain their privacy.
One of the biggest challenges is awareness. Many businesses are understandably reluctant to draw too much attention to their security and privacy efforts, fearing the very real possibility of their improved security protocols becoming a target for hackers. However, the unchecked expectations of customers can lead to dissatisfaction and mistrust if their security measures are not communicated properly.
Organizations need to be up-front and honest about their security practices and be willing to provide answers to customer inquiries. This requires privacy policies to be crafted with accurate, concise language that customers can easily understand. Technical jargon may impress security experts, but it will not resonate with customers who will mostly likely switch to competitors unless they have a solid understanding of the steps taken to protect their data.
Organizations need to be aware that investing in the latest security technology is just one part of the equation. Taking the time to properly explain security procedures to their customers is just as important in order to ensure that their privacy is respected and that customer confidence is maintained.