Today, sensitive data leaks have become so commonplace that an individual’s social security number can cost as little as $1 USD on the black market. Despite the low prices, data breaches remain a lucrative and attractive activity to cybercriminals as the margins for conducting such attacks remain low. Conversely, the overhead of keeping data secure has skyrocketed–as have the financial and reputational penalties awarded to unsuccessful defenders against sensitive data leaks.
Enterprises are growing increasingly concerned by these trends and are responding accordingly. A recent Gartner projects that enterprises will increase Data Privacy and Data Security spending in 2023 by 16.9% and 14.2%, respectively. It is worth noting that the budgets already allocated to these domains exceed $5B in total. Intent on discovering how these numbers translate into practical outcomes, the Piiano team set out to understand where enterprise privacy postures currently stand and how the professionals dedicated to both privacy and security intend to improve them.
We prepared an extensive questionnaire completed by security and privacy leaders from a wide spectrum of industry types. Respondents included CISOs (48%), DPOs (8%), VPs of Engineering (3%) and CTOs (3%). The other 35% consisted of Product Security Owners, Directors of Platform Security, Security Leaders, Privacy Managers, Heads of Security Architecture, VPs of Information Security and Privacy, VPs of Product Security, BISOs and Chief Security & Privacy Officers. The majority (48%) of respondents hailed from B2B companies, while others included B2C (28%) and B2B2C (19%). 60% of participating companies employ more than 1000 people.
Along a similar vein, we received nearly equivalent responses when we asked about their organization’s compliance with privacy regulations. 58% of respondents indicated that they only feel somewhat confident in them (answered 3, 4, or 5 out of 7), though the number that felt fully confident was much higher, at 38% (answered 6, or 7 out of 7).
When analyzing the distribution of responses across participating companies, we found that B2C (75%) made up the largest portion of those with high confidence–as opposed to B2B’s 55%. We do not find this surprising, as the onus is much more clearly placed on B2C companies to both familiarize themselves with and honor regulations. It is important to note that regulations continue to be involved–meaning that these B2C companies also feel confident in their capacity to follow and translate any changes to policy on an ongoing basis.
We also asked respondents how important they believed good privacy posture was for business differentiation. Nearly half (48%) answered in the affirmative–a number we expect to grow as consumer consciousness over privacy matters also grows. Currently, privacy lags behind the security sector’s maturity. This is reflected in both overall awareness and the number of available privacy vendors in the market. However, as more companies embed privacy into their messaging, we can already see the tides begin to shift. Once again, B2C companies formed the majority (75%) of respondents who placed more emphasis on privacy’s importance. This is hardly unexpected, given that they work directly with customers who would feel sensitive data leaks most acutely.
We carried on our research by asking respondents to share their current privacy practices, taking care to analyze how they stood against the data accumulated on their perception of privacy. Our first question determined whether or not respondents protected PII differently from non-sensitive information. Though a basic tenet of data privacy best practice, we were curious to see how this was actually realized by enterprises today. Given that companies now collect an overwhelming amount of data, it is impossible to afford data privacy the attention it requires as a discipline if the same treatment is given to all data equally.
76% of the respondents said that PII does receive special treatment, while 18% admitted to not providing PII with any special protection at all. Once again, B2C companies (83%) represented the most significant proportion that do, though B2B (76%) and B2B2C (67%) companies did not trail too far behind. It is worth noting that, at this point in the survey, we did not clarify what type of special protection might be employed.
Utilization and Privacy Assessments of Third-Party APIs Storing PII
We also asked if participating companies utilize third-party APIs to store sensitive information, following up with how extensively they vet third parties with privacy assessments before engaging with them. Both are important indicators of PII footprints, with the latter representing a baseline best practice for good security posture. Of the 34% of respondents who do store sensitive customer data with third parties, the majority (85%) expressly carry out such assessments. However, 17% of respondents did not know whether third parties store their information–a worrisome figure, as sensitive data protection isn’t possible without accounting for all of it.
Prioritizing Risk Mitigation Strategies for Storing Sensitive Data
Given the complexity of PII protection, especially for large organizations, we wished to learn how companies currently manage it. We were particularly interested in understanding if companies treat the discipline as a high priority. If not, there is a high chance that privacy-related tasks can remain bottlenecked while companies focus on more pressing matters on their “to-do” lists. Most companies (54%) indicated that they do not prioritize PII protection as a high priority. B2C companies were the most likely to prioritize it (47%), followed by B2B (39%).
Which Customer PII is Most Important to Protect?
Expanding on our question of whether PII receives special attention, we next asked what types of PII were most important for our respondents to protect. 53% shared that they assign the same importance to all PII. Those that ranked different types of PII first focused on financial information, such as bank account and credit card numbers–topping the list at 26%. Personal identifiers (26%), such as name, location, email, phone number and date of birth followed. Next came all other government-issued information (16%), Protected Health Information (12%) and digital information (12%). Biometric information, personal preferences and “other” occupied the bottom of the list.
Though privacy regulations treat all PII equally, and all PII requires protection, prioritization is necessary in actual practice. This is true for any security-related task, as the outcomes of some leaks are more detrimental than others and most companies do not have the resources to address everything at once. Thus, it is more critical to protect information like social security numbers over marital status or religion. Of course, this is entirely dependent on what kind of information companies collect on their customers.
Employment of Privacy Engineers
We moreover investigated whether the responding organizations employed privacy engineers. 52% answered in the negative. Of those that responded in the negative, most hailed from either B2B or B2B2C companies. By contrast, 65% of B2C companies employ privacy engineers. The employment of privacy engineers is an important indicator of both good privacy posture and privacy posture maturity.
Moving on, we asked respondents if developers in their organization must undergo any type of privacy-oriented training. 85% of the companies answered that some, or all, developers do. This number is very high, generating initial optimism around the future of improved privacy postures through efforts like privacy-by-design. However, it is important to note that this can only be realized if enough time and resources are allocated to actually put such training into practice. As we will see further in the report, this is not the case.
Finally, we addressed the matter of privacy tooling, and asked our respondents if they used any. As previously noted, the privacy market is still nascent, and the majority of tools are only beginning to emerge. Most focus on PII discovery, some around cleaning identifiers when working with analytic tools and a small number are dedicated to improving access control to PII and hardening PII security.
38% of respondents answered that they are already using privacy tools, while 7% answered that their company is not currently interested in any. 21% indicated that they are currently in the process of replacing their existing tools. This represents a healthy trend of early adopters seeking to mature their privacy postures. Unsurprisingly, B2C companies were far more likely to employ privacy tooling, further supporting that these kinds of companies are most aware and proactive around the need for improved privacy postures.
Curious as to the decision-making surrounding the purchase of privacy tools, we asked respondents to share what they felt would make a privacy tool most useful. The most important criteria focused on how well they mesh with existing tech stacks, as well as reporting capabilities. Respondents also highly valued compliance-related features, PII Discovery, and PII security–underlining the growing acknowledgment of PII’s need for special treatment. Interestingly, only 21% were sensitive to whether their company PII would be stored by a solution (SaaS). We were also interested to learn that only 2% of respondents saw direct value in open-source solutions.
Given our role as a privacy solution vendor, we are naturally curious to learn as much as we can about enterprise privacy posture challenges. We asked how they would rate their visibility, and the majority of respondents (68%) responded with average, at best (answered 3,4, or 5 out of 7). Visibility is a critical baseline requirement for good security postures. Partial visibility is a critical indicator of an underdeveloped privacy program, as it means that companies do not have enough handle on risk and fulfilling compliance requests. In this particular area of difficulty, both B2B and B2C afforded themselves the same ranking.
We next asked what full visibility into their organization’s PII footprint might help achieve. 69% believe that improved visibility is critical for hardening the security of sensitive data, echoing the long-standing security truth that you cannot protect what you cannot see. 45% wish they had better visibility in order to carry out RTBF and DSAR requests. Naturally, compliance with these GDPR requirements cannot happen without being able to locate customer data. Nearly the same amount (43%) are also interested in other, additional privacy compliance needs–namely better cross-organizational collaboration on privacy initiatives.
Developers are now recognized as a critical part of the security pipeline, and this belief is bleeding into the privacy realm, too. Given that they build the environments enterprises rely on, the prevailing theory is that developers can introduce necessary policies directly into their frameworks and infrastructures. When done correctly, this can directly reduce risk by creating privacy-oriented workflows and cultures. However, due to limited numbers, time and resources, actualizing this theory is still a major challenge for most organizations. There are a number of reasons why privacy-related tasks may not appeal to them. First, privacy regulations are relatively new and the urgency around them is usually only felt after a breach takes place. To this point, there is also poor enforcement around privacy compliance. As far as hierarchical perceptions are concerned, privacy implementation is ultimately viewed as a “nice to have” rather than “need to have”. When directly asked, we discovered that 80% of companies will not handle privacy-related tasks unless there is an explicit business request to do so.
Intent on understanding what our respondents wish to achieve for their privacy postures in the future, we asked what they have planned. Most companies are looking to expand their programs and are even considering building privacy solutions themselves.
Most companies will consider building privacy solutions themselves. 58% will either compare privacy solutions by vendors to their planned DIY solution, or have already decided to build it themselves (12%).
17% of B2B companies indicated that they would build privacy solutions themselves, as opposed to only 7% of B2C companies. This was a very interesting contrast for us. We believe that B2C companies–who, throughout the survey, have demonstrated a feeling of greater stakes in privacy posture–are more familiar with the inherent complexities and major scope of self-building privacy. Such projects not only require an extraordinary amount of specialized knowledge and expertise but also take years and many resources to complete.
Data breaches continue to occur on a daily basis despite the relatively high confidence that companies hold in their security postures. Were it possible, it would be fascinating to review our survey findings after aggregating enterprise privacy audit results to see how actual enterprise privacy postures compare with their perception of them.
Nonetheless, enterprises appear increasingly aware of the need to mature their security postures–and are open to future initiatives to improve it. B2C companies are the type of company most sensitive to the growing importance of privacy among consumer bases; this is reflected in both the initiatives they are already undertaking and their recognition, likely through experience, of the true difficulties involved in building a meaningful privacy program.
In the meantime, enterprises are on the right track to improving their security postures. As best practice dictates, most are giving sensitive data the special treatment it requires and a sizable number prioritize PII protection. They further recognize that developers can be a helpful part of the process–though not to the extent of dedicating actual resources and structures to help them succeed.
Key Takeaways for Hardening Security Posture
The first step towards hardening PII protection is visibility. It is critical to identify which types of PII are collected before moving on to gradually implementing protections for them. Given that it is impossible to address all PII at once, it is best to prioritize and begin with those that have a higher potential for damage, such as SSN, credit card number, and bank account.
The market is mostly void of solutions to provide these services, and the majority of enterprises do not have the necessary resources to build proprietary solutions on their own. Moreover, even those that do risk failure to scale, perform and remain resilient, given the vast nature of enterprise environments and movements. In truth, it is best to introduce privacy at the software level rather than as an afterthought. Just as with all other security efforts to shift risk left, privacy is best handled by beginning with code.
We would like to thank everyone who helped make this report possible, especially the participants that took the time from their busy schedules to fill out our extensive survey. We truly value your insight, as well as your expertise and efforts to keep sensitive data safe.
We would also like to thank YL Ventures for their help in preparing and distributing the survey, as well as their help in preparing this report.
Finally, we would like to thank you, the reader, for your interest and time.