A new report from Cisco showed that two-thirds of companies are currently losing sales because of their customers’ growing privacy concerns, which prolong the sales process. Similarly, bad cybersecurity practices are costing companies millions to hundreds of millions of dollars in repairing data breach damage, as well as lost revenue.
2018 - The Year Of Strong Data Protection?
Privacy is quickly becoming a bigger factor in companies’ sales, according to Cisco’s 2018 Privacy Benchmark Maturity (PDF). Privacy policies are longer just legalese meant to keep companies out of trouble, because if done wrong, many businesses risk losing sales from potential customers.
Over 65% of the companies questioned by Cisco have already admitted that data privacy concerns are delaying their sales process. Over 90% of the companies reported delays up to 20 weeks, while the average delay was 7.8 weeks.
A significant number reported delays between 50 to 100 weeks. This means the sales process can take at least 1-2 years longer simply because their customers don’t feel satisfied with the companies’ existing focus on privacy.
The delays don’t just mean that the customers will buy the products later than they would otherwise, because some of them end up either not buying the product at all or buying it from a competitor. Therefore, bad privacy policies can lead not just to lost sales but also to a loss of market share to competitors’ benefit.
The study shows that the longest sales delays happened in Latin America (an average delay of 15.4 weeks), Mexico (13 weeks), and Japan (12.1 weeks). The shortest delays were reported in China (2.8 weeks) and Russia (3.3 weeks).
In terms of industry, government and healthcare sales saw the biggest delays due to cybersecurity and privacy concerns.
Privacy-Immature Companies Most At Risk
The report also found that companies that didn’t take privacy too seriously were the most impacted by these delays. Cisco benchmarked the privacy-maturity of companies based on standards defined by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). These standards are defined as follows:
- Ad hoc — Privacy procedures or processes are generally informal, incomplete, and inconsistently applied.
- Repeatable — Privacy procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.
- Defined — Privacy procedures and processes are fully documented and implemented, and cover all relevant aspects.
- Managed — Reviews are conducted to assess the effectiveness of the privacy controls in place.
- Optimized — Regular review and feedback are used to ensure continuous improvement towards optimization of privacy processes
Companies that had a “defined” privacy procedures, saw a 70% improvement in sale processes compared to the companies that had “ad hoc” or informal and incomplete privacy procedures.
Privacy-Mature Companies Are More Secure
Companies that are privacy-mature are not only seeing much shorter sales processes, but are also more protected against data breaches. Only 39% of the privacy-mature companies saw losses of over $500,000 compared to the 74% of the privacy-immature companies. According to Cisco, the lower damages that privacy-mature companies see may also have something to do with them gathering less data than the immature companies.
As hackers become more sophisticated in breaking into large organizations, it may be a good idea for companies to treat customer data as more of a liability than an asset, at least data that isn’t required for the functioning of the product or service. Then, if a data breach does happen, at least the damage will be minimized and the companies won’t have to suffer as large of a hit to their public image.
Maersk Chair: Companies Need To Stop Being Naive About Cybersecurity
Recently, the giant shipping company Maersk suffered a devastating cyber attack through the NotPetya malware. After the attack, the company had to essentially replace its whole infrastructure and reinstall 45,000 PCs and 4,000 servers. This task, which the chair Jim Hagemann Snabe said would have normally taken six months, was performed in a record 10 days. However, even though getting rid of NotPetya from its large infrastructure took a relatively small amount of time, this single attack still ended-up costing the company $250-$300 million, part of which was due to losing 20% of the sales in that period.
At the World Economic Forum in Davos, Snabe said that this incident should be a significant “wake-up call” for every company out there, because it could be them next. He also talked about three important lessons that the company learned during this whole incident:
- Cybersecurity needs to become their competitive advantage, and being mediocre like everyone else is no longer enough. This is a lesson he argued more companies should learn sooner rather than later.
- Companies need to stop being naive about cybersecurity. Many companies will experience their own similar data breaches in the future if they don’t treat cybersecurity in a more proactive, rather than reactive way.
- There is a need for a radical new and more secure infrastructure for the internet, as everything we do becomes more digitized, and thus more at risk of suffering cyber attacks.
This year may be the year when do get this wake-up call that cyber security and data privacy and protection is important not just for the customers who give their data away to the companies, but also for the companies themselves if they don’t want to lose sales of suffer major disruptions because of poor data protection procedures.