Cybercrime: Is privacy a primary concern for most companies? 87% of organizations claim to provide privacy training to their employees. However, only 68% acknowledge that they update this content periodically, leaving important security gaps against emerging threats, such as malicious use of artificial intelligence (AI) by bad actors. Moreover, the privacy problem is set to worsen in 2025 as 43% of businesses indicate their privacy budget is underfunded, and 48% expect a budget decrease in the next year.
This data is included in the report State of Privacy 2025, prepared by the Information Systems Audit and Control Association (ISACA), which interviewed 1,600 companies and aims to warn about the cyber risks companies face due to inadequate privacy training practices.
For instance, according to estimates from Statista’s Market Insights, the global cost of cybercrime is expected to surge in the next four years, rising from US$9.22 trillion in 2024 to US$13.82 trillion by 2028. The high price tag comes as businesses are handling a massive volume of sensitive, personal information, including payment details, names, and addresses.
Can privacy efforts keep up in a complex environment?
While almost three-quarters (74%) of respondents confirm that their privacy strategies are aligned with organizational objectives, only 59% update this training annually, while 9% do so every two to five years. From these figures, it is inferred that approximately a third (32%) of employees are not receiving the necessary training to combat new cyber threats and cybercrime in the workplace.
“In an increasingly complex international regulatory environment, often with lackluster resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe,” says Niel Harper, ISACA board vice chair. “Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects,” he continues.
Boosting privacy: cybersecurity prevention strategies
As ISACA points out, periodic training is a key factor for two cybersecurity prevention strategies: risk mitigation and data protection strengthening. The application of best practices in this field leads companies to experience fewer cyber incidents and leads to greater trust among their customers and partners. Emerging technologies such as artificial intelligence (AI) and the Internet of Things (IoT) are expanding criminals’ capabilities. Moreover, the bad use of AI by the companies’ employees is also one of the main concerns for organizations. Almost a quarter (24%) of businesses are already using AI for privacy-related tasks, such as automating risk assessments, detecting anomalies, and ensuring regulatory compliance. Although these tools improve operational efficiency, they also pose risks. The lack of transparency in algorithm functioning can create trust issues and potential regulatory violations.
Unlocking “tremendous value:” Continuous improvements to reinforce privacy
For all these reasons, ISACA considers that the best strategy for companies looking to review their training programs is to adopt a continuous improvement approach. This involves not only updating content and obtaining certifications but also implementing simulations and practical exercises to reinforce incident response skills. “When privacy is aligned with business objectives, integrated into the enterprise with a privacy by design approach, and viewed as both an ethical and compliance responsibility, organizations stand to gain tremendous value,” concludes Safia Kazi, ISACA Principal, Privacy Professional Practices.
