Cybersecurity in Today’s Rapidly Changing Threat Landscape: A Comprehensive Look at Emerging Risks, Data Protection and Privacy Laws, and Customer Trust
As a cybersecurity architect within the SAP Chief Trust Office (CtrO), I regularly encounter customers seeking to safeguard their organization’s data confidentiality, integrity, and availability. This can be a daunting task for customers across industries, lines of business, and technology stacks. Complicating matters is the fact that there is no one-size-fits-all approach. However, there are common strategies that can be deployed unilaterally that are cost effective, provide ample benefit, and mitigate risk.
This blog post will explore the emerging risks in the threat landscape, the importance of data protection and privacy laws in Virginia, New York, and California, and the crucial role customer trust plays in today’s competitive markets, while also showcasing how SAP, as a market leader in enterprise software and cloud services, is well-positioned to address and mitigate these risks.
Section 1: Emerging Risks in the Overall Threat Landscape.
At SAP, we know that the threat landscape is constantly evolving, presenting new challenges for corporate leaders. As organizations rely more on technology, they become increasingly susceptible to cyber-attacks. Here are some emerging risks that corporate leadership should be aware of:
- Ransomware Attacks: Ransomware attacks have become increasingly sophisticated and targeted, with criminals demanding significant ransoms for encrypted data. These attacks can lead to prolonged downtime and severe financial losses.
- Customers can leverage SAP’s Defensive Strategy for Ransomware. SAP incorporates the NIST Cybersecurity Framework, including the five functions: identify, protect, detect, respond, and recover to mitigate ransomware risks.
- Supply Chain Attacks: Cybercriminals are now targeting supply chain partners to infiltrate larger organizations. By compromising a smaller company’s systems, attackers can gain access to their ultimate target’s sensitive data.
- SAP has effectively integrated Information Security Management Systems (ISMS) standards (e.g.: ISO 2700x) at both the product and governance levels to minimize the risk of supply chain attacks. This comprehensive approach is formally defined by SAP as the SAP Integrated Information Security Management System (SAP IISMS), which is detailed in the SAP Quality Management Guide.
- IoT Vulnerabilities: As more organizations adopt Internet of Things (IoT) devices, they must be aware of the inherent security risks. Many IoT devices lack proper security measures, making them attractive targets for cybercriminals.
- SAP proactively mitigates IoT attack risks by incorporating logical and physical data isolation, network segmentation, data encryption in transit and at rest, and robust identity and access management controls from the foundational level. These measures are consistently defined, maintained, and reviewed to guarantee the confidentiality, integrity, and availability of SAP services. More information is publicly available on the SAP Trust Center.
- AI-Driven Threats: Attackers are using artificial intelligence (AI) to create more advanced malware and exploit vulnerabilities in systems. Organizations must adapt their cybersecurity strategies to address these AI-driven threats.
- SAP recognizes the risks its customers confront, including AI-driven threats that target both technological and human aspects of an enterprise. To address these risks, SAP mandates security training for all employees with role-specific content and broader topics such as anti-phishing measures. Furthermore, SAP proactively scans and patches systems on a regular basis to maintain a robust security posture.
Section 2: Data Protection and Privacy Laws in Virginia, New York, and California.
As cyber threats continue to evolve, lawmakers are implementing stricter data protection and privacy laws to protect consumers. Corporate leadership must stay informed about these new laws and ensure their organizations are compliant. For example, the Virginia Consumer Data Protection Act (CDPA) states that effective from January 1, 2023, the CDPA grants consumers the right to access, delete, and correct their personal data. Organizations must also obtain consent before collecting sensitive data and have a data protection officer to ensure compliance. This can be particularly challenging for larger enterprises with a global customer footprint.
The New York Privacy Act (NYPA), is a piece of legislation proposed in 2021. The NYPA aims to provide consumers with more control over their personal data. The legislation would require businesses to disclose data collection practices and obtain consent before selling personal data. The act is still under consideration and may be subject to further revisions
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant Californian consumers the right to access, delete, and opt-out of the sale of their personal information. The CPRA, effective from January 1, 2023, expands on these rights and establishes the California Privacy Protection Agency, which enforces data privacy regulations. Failure to comply with these laws can result in substantial financial penalties and damage to corporate reputations. Consequently, leaders must establish and enforce thorough data protection and privacy policies. With the emergence of new legislation across the US and internationally, companies face ever-changing internal and external pressures to maintain compliance. To tackle these growing challenges, SAP has assembled an international, cross-functional team of experts, backed by SAP senior leadership, to proactively identify and address emerging legislation. This team is empowered to guide both SAP and, in effect, its customers through these evolving regulatory landscapes.
Section 3: Customer Trust in Today’s Competitive Markets.
In today’s competitive markets, customer trust is a valuable commodity. Data breaches and cyber-attacks can significantly erode this trust, leading to long-lasting consequences for businesses. Corporate leaders must prioritize cybersecurity to maintain and strengthen customer trust.
Ways SAP Can Assist Customers: Exploring Areas of Support
- Brand Reputation: Customers are more likely to engage with a brand they trust. A data breach can severely tarnish a brand’s reputation, leading to lost customers and decreased revenue. By prioritizing cybersecurity, corporate leaders can protect their brand image and maintain consumer confidence.
- Example: A major US credit bureau experienced a massive data breach, affecting around 147 million consumers. The breach exposed sensitive information, including Social Security numbers, birth dates, addresses, and driver’s license numbers. In 2019, the credit bureau reached a settlement and agreed to pay at least $575 million, with up to $425 million dedicated to providing compensation for affected consumers, and the remaining $100 million as a civil penalty to the CFPB. This data breach not only resulted in significant financial penalties for the organization but also severely damaged its reputation and highlighted the importance of timely software updates and robust cybersecurity practices.
- Customer Loyalty: Trust is a key factor in customer loyalty. When customers trust a company to protect their personal information, they are more likely to continue doing business with that organization. A strong cybersecurity strategy can help build and maintain customer loyalty, which is vital for long-term success.
- Example: A 2013 data breach at a large American retailer severely impacted customer trust when cybercriminals compromised around 110 million customers’ payment card data and personal information. As a result, concerns emerged regarding the organization’s ability to protect customer data, leading to decreased loyalty and hesitance to shop at their stores. The company faced numerous lawsuits, ultimately agreeing to an $18.5 million settlement with 47 U.S. states and the District of Columbia. The breach led to the resignation of the CEO and CIO and prompted significant investments in cybersecurity.
- Competitive Advantage: As data breaches become increasingly common, businesses that demonstrate a commitment to cybersecurity can gain a competitive advantage. By investing in strong cybersecurity measures, corporate leaders can differentiate their organizations from competitors and attract security-conscious consumers.
- Example: A large search engine company experienced one of the largest data breaches in history, affecting around 3 billion user accounts. In 2013, all user accounts were compromised, followed by another breach in 2014 that affected 500 million accounts. The breaches exposed users’ names, email addresses, telephone numbers, dates of birth, encrypted passwords, and security questions. The breaches were not disclosed until 2016, which significantly impacted the organization’s reputation and resulted in a $350 million reduction in the acquisition price by a larger telecommunications company. The affected organization was also fined $35 million by the U.S. Securities and Exchange Commission (SEC) for not disclosing the breaches in a timely manner.
- Regulatory Compliance: As mentioned earlier, complying with data protection and privacy laws is essential for organizations to maintain customer trust. Demonstrating compliance can reassure customers that their personal data is being handled responsibly and securely.
- Example: A 2018 data breach of a large airline, affecting 500,000 customers, stands as one of the worst breaches in regulatory compliance history, specifically under the GDPR. Cybercriminals exploited a website vulnerability, intercepting personal and financial information during the booking process. The breach damaged the airline’s reputation and customer trust, going undetected for two weeks. In response, the UK’s Information Commissioner’s Office (ICO) issued a record fine of £183 million ($230 million) for GDPR violations. This incident highlights the severe consequences companies face for failing to protect customer data and maintain regulatory compliance.
In today’s rapidly changing threat landscape, corporate leadership must prioritize cybersecurity to protect their organizations from emerging risks, comply with data protection and privacy laws, and maintain customer trust. As a global enterprise cloud services company, SAP is uniquely positioned to address and mitigate many of the risks its customers face, both today and in the future. By staying informed about new threats, adapting cybersecurity strategies, and ensuring compliance with relevant legislation, corporate leaders can safeguard their organizations and thrive in today’s competitive markets. Investing in cybersecurity is not just a necessity, but a strategic move that can significantly impact an organization’s long-term success.