Wednesday, 29 July 2015

The Blame for Cyber Breaches moves into the Boardroom

The Blame Shifts?

Until quite recently Senior IT Execs have been the the lightning rods of the cyber breach era.  As soon as a company was hacked the unfortunate "IT Guy" could be seen packing his bags while silently cursing the miserable IT budget he had to work with. While most corporate entities would deny they have a blame culture they are generally happy to make exceptions and blame the head of IT when they get hacked. However things may be changing and the days are ending when IT execs most important task was to get high scores on "User Experience" surveys and take one for the team when the business was breached.

Historically the CEO's role in a breach scenario has been to offer mournful faced interviews, claiming that our privacy is important and such a significant cyber breach had been unforeseeable "who could know such a thing was possible?"..(everyone who reads the news!). But a recent spate of high-profile resignations show that the focus is now been turned squarely on senior board members.

Following a hack that compromised over 20 million personal records of government employees US Office of Personnel Management head Katherine Archuleta has been forced to resign. When the London based hedge fund, Fortelus, was hacked to the tune of $1.2 million, Thomas Meston, the CFO also lost his job.

Katherine Archuleta

These are two latest resignations in a trend that began in earnest last year when the CEO of giant US retailer Target, Gregg Steinhafel, was forced to resign from his $24 million per annum position in the wake of a disastrous data breach that compromised 40 million shoppers credit cards and 70 million customers personal data. Given a breach of this magnitude, Steinhafel was given little alternative but to leave his position as the head of the $40 billion corporation.

Target Retail Breach

The difficult fact for senior executives to understand regarding the cyber landscape is that there is nothing anyone can do after the event to limit damage. Unlike cash and other tangible assets, once the data escapes it can be replicated endlessly and shared globally in an instant.  No amount of court orders can slow down the process and a product recall doesn't really cut it. Once a breach has occurred the corporation will most likely find itself accused of negligence. It is then up to the CEO and his board to disprove any negligence claims by proving that all reasonable steps had been taken to safeguard the organisation’s database.
In the 80’s and 90’s when the computerized office was becoming a reality and a lot of the world’s current crop of CEO’s were in college studying business administration (without an ITC module), it was reasonable for executive boards to delegate the safeguarding of the corporate data to the experts in the IT department. The “IT guy” would install Anti-Virus software and get back to their proper job of responding to user feedback surveys, managing the network and helping users with their mouse, keyboard and printer. But now, suddenly it seems, there are hundreds of mobile devices connected to company servers and hundreds of thousands of new variations of malware being developed targeting these mobile devices it is a whole new landscape, combine this with the relentless ongoing and targeted email “phishing” campaigns that we see every day then it is clear that traditional safeguards are no longer adequate. Board members are now expected to understand the risks and authorize budgets to ensure properly designed and layered cyber defenses are in place and train staff to understand the outcome of risky behavior.  If they don't they risk ignominious dismissal.

Why Hack User Data instead of Financial Data?

The underlying reason for the growing trend in cyber-crime is because of the increasing value of corporate databases. The more business that is conducted online, the more corporations know about private citizens and therefore the more valuable the database becomes. In the case of a growing number of corporations, the company’s database is substantially more valuable than its cash holdings. A case in point is the recent Ashley Madison hack where the very personal details of up to 37 million trainee adulterers were taken from the company’s servers. This hack has destroyed Ashley Madison’s hope of a $200 million IPO and has the potential to cause untold misery to millions of families.

International organised criminals have rapidly shifted focus from financial fraud to data theft. Stolen data can be laundered more easily than stolen cash by disguising it as legitimate market research. The data can be doctored and presented to a rival organisation as legitimate; in others cases; it is simply put up for sale to the highest bidder. This is generally done via the Dark Web, using encrypted websites where anything can be bought and sold. The damage inflicted on the compromised corporation can be terminal.  With a single cyber-attack, a company can see its damage-control costs escalate out of control, its customer goodwill shattered, the company put at risk of lawsuits, and the company’s stock price decimated.

In 2014 the total number of detected security incidents globally grew to 42.8 million with the number of breaches costing over $20 million doubling.  These breaches were a litany of high-profile corporate and government security breaches such as Target Corp., Home Depot, Neiman Marcus, Michael Stores, Sony Pictures Entertainment, and Wall Street giant JPMorgan Chase, costing an estimated US$500-billion.

Bring on the Lawyers

Given the rising number of cyber violations, it’s not surprising, there has also been numerous class-action lawsuits filed in the U.S. from stakeholders for breach of fiduciary duty, including a case against another hacking incident at Sony involving the alleged theft and release of social security numbers and other personal data, while electronic commerce giant eBay Inc. is facing a class-action launched in July, 2014 by 125-million customers whose personal data was breached early last year.

The shifting face of IT Governance

With so much at stake, there is now a shift beginning toward data governance being removed from the IT department and into the boardroom as part of the enterprise risk-management framework. Boards are only now beginning to figure out that oversight of cyber security has become as much a part of their financial duty as the accounting on the balance sheet. It is not the job of the board to manage data security but it is the job of the board to ensure it is managed as well as reasonably possible.

The IT literate CEO

Given the current global tsunami of cyber-crime, CEO's need to sponsor projects that implement layered defense, mobile device management, staff training and also address the risks posed by third parties interacting with the business. Focus should be on the rapid detection of security intrusions, and an effective and rapid response.

But whatever form of attack may occur, from now on the cyber security buck stops at board level. Senior executives are beginning to realize that the delegation of total responsibility for corporate security to the "IT Guy" is over.