Privacy concerns may not be the first issue that comes to mind when building an enterprise cyber resilience plan. However, you should expect them to gain prominence. For perspective, consider for a moment that the NIST Privacy Framework is a relatively new tool. It was only first deployed in January 2020.

Even ISO only released its new standalone standard in August 2019. As part of the 27000 family, ISO/IEC 27701:2019 “specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.”

Now get this: the technical team responsible for its development is called ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection (emphasis added).

Let’s up the ante to emphasize the connection to cybersecurity resilience just a little bit more. Want to know what NIST did? They developed a very handy crosswalk tool, which maps controls from the Privacy Framework to the Cybersecurity Framework and vice-versa.

Therefore, the interplay between the two issues, cybersecurity and privacy, really begs the question: does a strong cybersecurity program begin in a strong privacy program?

See how all of a sudden privacy issues really do tie into your overall resilience? There are a few areas in particular that privacy issues could really test your organization. Keep in mind reputation, disclosure, compliance and financial cost.

How Much Is Your Reputation Worth?

Gossip, rumor, and yes, even legitimate bulletins and news blaze across the world at record speeds. Managing your reputation at warp speed is critical to your organization’s cyber resilience. Largely thanks to social media, a negative story can cause major damage to your reputation and brand. It can happen even within a matter of minutes.

Yes, minutes.

As a publicly traded company, you could see massive dips in your market cap. Think about it. Trading has become less about ‘boring’ things like EBITA, Price-to-Book ratio or quarterly earnings. It has become more speculative, with an emotional flare to it.

So what is the link to privacy, then? Well, if we’re still riding that emotional flare, candidly speaking, people take their personally identifiable information (PII) pretty darn seriously. It is an emotional reaction that triggers what happens next, not necessarily a deliberate, well-thought-out course of action.

Keep Your Customers’ Faith

Keep in mind that no matter how common breaches become, or the growing awareness in the general public that they are happening, few things can frustrate people more than spending time to set up credit alerts, chasing down possible fraud and living with that feeling of being violated somehow. That ‘contract’ or bond between the customer and the organization breaks.

And if you think losing part of your customer base does not impact the organization’s cyber resilience, I have a bag of beans to sell you, magic not included.

One perspective that ties together privacy, security and reputation is an intangible issue: your organization’s goodwill. How much is that worth to you?

I can make you a promise: standing up your applications, spinning up new instances, loading up backups and getting all your transactional capabilities up and running means nothing if your customers no longer have faith or confidence in doing business with you. You have reached bust. Kaput. The end.

That’s one of the reasons privacy matters to cyber resilience: it’s keeping an eye out on the hidden cost.

Time Is Not Your Friend When it Comes to Cyber Resilience

Now let us look at a couple of the tangible issues: disclosure and compliance. Or, put another way, time and money. If you have been following what the Security Exchange Commission (SEC) has been up to regarding cybersecurity disclosures, the message is pretty blunt: provide timely and quality disclosures related to breaches. All the more reason your crisis communication planning needs to have these close partnerships with external bodies all ready to go.

Think about it like this: in a crisis situation, you want to drive the message as much as possible, because that is one of your control levers. If somebody else drives the message (or knocks on your door asking why you haven’t disclosed in time) you’re losing and you’re looking for a bruising.

Let’s look at part of a privacy breach scenario for a moment:

  1. Word leaks (who cares how, or if it is even true) that your organization has suffered a breach and PII has made it out into the wild.
  2. That information makes it to social media, and a couple of major news organizations or security influencers pick up the story and amplify it.
  3. Every day people start to digest the news item and begin to worry (e.g., is their information exposed?).
  4. Other stakeholders, namely shareholders, start to panic because there are signs of a sell-off happening.
  5. Phone calls are being made at the board level to contain this looming disaster.

See how this is going? We’re not even at the SEC “ahem” call yet!

This is an extreme example, right? Perhaps it is. But there is something larger going on here: if you are not planning and preparing for extreme, you may as well be faking it.

Cyber Resilience: Ride the Storm

Have you perhaps noticed that the cybersecurity issue is becoming more difficult to manage and not easier? Perhaps you have noticed breaches are also becoming costlier? Let’s do a quick rundown of IBM’s Data Breach Report 2021 is as follows:

  • Highest average cost in 17 years
  • Remote work increasing the cost
  • Compromised credentials are the main source of breaches
  • Security AI has the biggest cost-mitigating effect
  • Zero trust approach helps reduce cost
  • Cloud migrations impacted cost containment.

Okay, so what does it all have to do with privacy? What impact will it make on organizational resilience?

Simple: privacy is both amplifier and sleeping giant. That is why preparing for the extreme event is required. What happens when you lose the confidence and faith of all your customer base? You may be able to survive the fines, the penalties, the downed operational time and even the rebuild costs.

But the reputational hit? Perhaps not. Do what you can to ensure that the unspoken contract between you and your customer is not broken: protect their privacy.

Next in the journey, we look at security-by-design. Or as I like to call it: break it while you build it.

More from Incident Response

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read