Poor Privacy Practices Mean Higher Data Loss
The report provides concrete evidence that good privacy practices can contribute to better security outcomes.
Companies with the worst privacy practices lose seven times the number of records when they suffer a data breach.
That’s according to a new report by Osano. It analyzed the Osano privacy score of 11,000 companies against 15 years of publicly available data from breach disclosures.
One factor impacting the score is if a company sells, shares or licenses data to third parties or affiliates. Another factor is if a company knowingly collects data about children under the age of 13.
Arlo Gilbert is Osano’s CEO and co-founder. He said there’s a perception that privacy issues are similar to speeding in a car. You may get busted, but the downside is so small that it is a risk worth running, he said.
Osano’s Arlo Gilbert
“We’re now seeing that there are serious consequences for lax privacy practices that aren’t always obvious,” he said. “The level of contrast between different segments of privacy performers took our breath away. In hindsight, it isn’t entirely surprising that organizations with poor privacy practices experience more severe breaches, but a seven-times increase in records lost is a stunning difference. Similarly, we were surprised how much more likely government and educational sites were to experience security incidents compared to for-profit corporations.”
Eye-Opening Findings
Key findings from the report include:
Companies with the worst privacy practices are 80% more likely to experience a data breach than those with the best practices.
Those with the lowest of privacy scores lost 600% more records than companies with better privacy scores.
Companies with the best privacy practices lose an average of 7.7 million records in a breach. That compares to 53 million for the worst companies.
The worst privacy actors are the least likely to be able to retrospectively identify the root cause of a breach.
Educational and government websites are 15 times more likely to experience a breach than commercial sites.
The correlations between data breaches and Osano privacy scores stem from many causes. Those include willful ignorance, oversight of privacy best practices that increase risk exposure, and company culture around responsible data stewardship.
Another key link between data breaches and privacy practices is third party vendors. The average company shares its data with 750 different vendors, according to the Internal Auditors Research Foundation. Third parties were responsible for two out of every three data breaches.
“These findings are a great opportunity for MSSPs and other cybersecurity providers,” Gilbert said. “This is the first time we’ve seen such concrete evidence that good privacy practices can contribute to better security outcomes. Cybersecurity providers can reduce their client’s exposure with privacy tools or practices. We would expect to see a lot more partnerships between cybersecurity firms and privacy companies in the future.”
By prioritizing best-in-class privacy practices, companies can reduce the risk of security incidents and demonstrate their trustworthiness to customers.
“We haven’t seen clear trends across all companies observed, but there are many organizations making progress,” Gilbert said. “For example, Capital One … had a low privacy score and suffered a breach that exposed 100 million of its customers. Within 12 months, they made changes to their privacy practices and significantly improved their Osano privacy score.”
About the Author
You May Also Like