Privacy concerns may not be the first issue that comes to mind when building an enterprise cyber resilience plan. However, you should expect them to gain prominence. For perspective, consider for a moment that the NIST Privacy Framework is a relatively new tool. It was only first deployed in January 2020.

Even ISO only released its new standalone standard in August 2019. As part of the 27000 family, ISO/IEC 27701:2019 “specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.”

Now get this: the technical team responsible for its development is called ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection (emphasis added).

Let’s up the ante to emphasize the connection to cybersecurity resilience just a little bit more. Want to know what NIST did? They developed a very handy crosswalk tool, which maps controls from the Privacy Framework to the Cybersecurity Framework and vice-versa.

Therefore, the interplay between the two issues, cybersecurity and privacy, really begs the question: does a strong cybersecurity program begin in a strong privacy program?

See how all of a sudden privacy issues really do tie into your overall resilience? There are a few areas in particular that privacy issues could really test your organization. Keep in mind reputation, disclosure, compliance and financial cost.

How Much Is Your Reputation Worth?

Gossip, rumor, and yes, even legitimate bulletins and news blaze across the world at record speeds. Managing your reputation at warp speed is critical to your organization’s cyber resilience. Largely thanks to social media, a negative story can cause major damage to your reputation and brand. It can happen even within a matter of minutes.

Yes, minutes.

As a publicly traded company, you could see massive dips in your market cap. Think about it. Trading has become less about ‘boring’ things like EBITA, Price-to-Book ratio or quarterly earnings. It has become more speculative, with an emotional flare to it.

So what is the link to privacy, then? Well, if we’re still riding that emotional flare, candidly speaking, people take their personally identifiable information (PII) pretty darn seriously. It is an emotional reaction that triggers what happens next, not necessarily a deliberate, well-thought-out course of action.

Keep Your Customers’ Faith

Keep in mind that no matter how common breaches become, or the growing awareness in the general public that they are happening, few things can frustrate people more than spending time to set up credit alerts, chasing down possible fraud and living with that feeling of being violated somehow. That ‘contract’ or bond between the customer and the organization breaks.

And if you think losing part of your customer base does not impact the organization’s cyber resilience, I have a bag of beans to sell you, magic not included.

One perspective that ties together privacy, security and reputation is an intangible issue: your organization’s goodwill. How much is that worth to you?

I can make you a promise: standing up your applications, spinning up new instances, loading up backups and getting all your transactional capabilities up and running means nothing if your customers no longer have faith or confidence in doing business with you. You have reached bust. Kaput. The end.

That’s one of the reasons privacy matters to cyber resilience: it’s keeping an eye out on the hidden cost.

Time Is Not Your Friend When it Comes to Cyber Resilience

Now let us look at a couple of the tangible issues: disclosure and compliance. Or, put another way, time and money. If you have been following what the Security Exchange Commission (SEC) has been up to regarding cybersecurity disclosures, the message is pretty blunt: provide timely and quality disclosures related to breaches. All the more reason your crisis communication planning needs to have these close partnerships with external bodies all ready to go.

Think about it like this: in a crisis situation, you want to drive the message as much as possible, because that is one of your control levers. If somebody else drives the message (or knocks on your door asking why you haven’t disclosed in time) you’re losing and you’re looking for a bruising.

Let’s look at part of a privacy breach scenario for a moment:

  1. Word leaks (who cares how, or if it is even true) that your organization has suffered a breach and PII has made it out into the wild.
  2. That information makes it to social media, and a couple of major news organizations or security influencers pick up the story and amplify it.
  3. Every day people start to digest the news item and begin to worry (e.g., is their information exposed?).
  4. Other stakeholders, namely shareholders, start to panic because there are signs of a sell-off happening.
  5. Phone calls are being made at the board level to contain this looming disaster.

See how this is going? We’re not even at the SEC “ahem” call yet!

This is an extreme example, right? Perhaps it is. But there is something larger going on here: if you are not planning and preparing for extreme, you may as well be faking it.

Cyber Resilience: Ride the Storm

Have you perhaps noticed that the cybersecurity issue is becoming more difficult to manage and not easier? Perhaps you have noticed breaches are also becoming costlier? Let’s do a quick rundown of IBM’s Data Breach Report 2021 is as follows:

  • Highest average cost in 17 years
  • Remote work increasing the cost
  • Compromised credentials are the main source of breaches
  • Security AI has the biggest cost-mitigating effect
  • Zero trust approach helps reduce cost
  • Cloud migrations impacted cost containment.

Okay, so what does it all have to do with privacy? What impact will it make on organizational resilience?

Simple: privacy is both amplifier and sleeping giant. That is why preparing for the extreme event is required. What happens when you lose the confidence and faith of all your customer base? You may be able to survive the fines, the penalties, the downed operational time and even the rebuild costs.

But the reputational hit? Perhaps not. Do what you can to ensure that the unspoken contract between you and your customer is not broken: protect their privacy.

Next in the journey, we look at security-by-design. Or as I like to call it: break it while you build it.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today