The
Blame Shifts?
Until quite recently Senior IT Execs have been the the lightning rods of the cyber breach
era. As soon as a company was hacked the unfortunate "IT Guy" could be seen packing his bags while silently cursing the miserable IT budget he had to work with. While most corporate entities would deny they have a blame culture they are generally happy to make exceptions and blame the head of IT when they get hacked. However things may be changing and the days are ending when IT execs most important task was to get high scores on "User Experience" surveys and take one for the team when the business was breached.
Historically the CEO's role in a breach scenario has been to offer mournful faced interviews, claiming that our privacy is important and such a significant cyber breach had been unforeseeable "who could know such a thing was possible?"..(everyone who reads the news!). But a recent spate of high-profile resignations show that the focus is now been turned squarely on senior board members.
Historically the CEO's role in a breach scenario has been to offer mournful faced interviews, claiming that our privacy is important and such a significant cyber breach had been unforeseeable "who could know such a thing was possible?"..(everyone who reads the news!). But a recent spate of high-profile resignations show that the focus is now been turned squarely on senior board members.
Following
a hack that compromised over 20 million personal records of government
employees US Office of Personnel Management head Katherine Archuleta has been
forced to resign. When the London based hedge fund, Fortelus, was hacked to the
tune of $1.2 million, Thomas Meston, the CFO also lost his job.
 |
| Katherine Archuleta |
These
are two latest resignations in a trend that began in earnest last year when the
CEO of giant US retailer Target, Gregg Steinhafel, was forced to resign from
his $24 million per annum position in the wake of a disastrous data breach that
compromised 40 million shoppers credit cards and 70 million customers personal data. Given a breach of this magnitude, Steinhafel
was given little alternative but to leave his position as the head of the $40
billion corporation.
 |
| Target Retail Breach |
The
difficult fact for senior executives to understand regarding the cyber landscape
is that there is nothing anyone can do after the event to limit damage. Unlike cash and other tangible assets, once the data escapes it can be replicated endlessly and shared globally in an instant. No amount of court orders can slow down the process and a product recall doesn't really cut it. Once a breach has occurred the corporation will most likely find itself
accused of negligence. It is then up to the CEO and his board to disprove
any negligence claims by proving that all reasonable steps had been taken to
safeguard the organisation’s database.
In
the 80’s and 90’s when the computerized office was becoming a reality and a lot of
the world’s current crop of CEO’s were in college studying business
administration (without an ITC module), it was reasonable for executive boards to delegate
the safeguarding of the corporate data to the experts in the IT department. The “IT guy” would install Anti-Virus software and get back to their proper job
of responding to user feedback surveys, managing the network and helping users with their mouse, keyboard and
printer. But now, suddenly it seems, there are hundreds of mobile devices connected to company servers and
hundreds of thousands of new variations of malware being developed targeting
these mobile devices it is a whole new landscape, combine this with the relentless ongoing
and targeted email “phishing” campaigns that we see every day then it is clear that traditional
safeguards are no longer adequate. Board members are now expected to understand
the risks and authorize budgets to ensure properly designed and layered cyber defenses are
in place and train staff to understand the outcome of risky
behavior. If they don't they risk ignominious dismissal.
Why Hack User Data instead of Financial Data?
The
underlying reason for the growing trend in cyber-crime is because of the
increasing value of corporate databases. The more business that is conducted
online, the more corporations know about private citizens and therefore the more valuable the database becomes. In the case of a growing number
of corporations, the company’s database is substantially more valuable than its
cash holdings. A case in point is the recent Ashley Madison hack where the very
personal details of up to 37 million trainee adulterers were taken from the company’s
servers. This hack has destroyed Ashley Madison’s hope of a $200 million IPO and
has the potential to cause untold misery to millions of families.
International
organised criminals have rapidly shifted focus from financial fraud to data
theft. Stolen data can be laundered more easily than stolen cash by disguising
it as legitimate market research. The data can be doctored and presented to a
rival organisation as legitimate; in others cases; it is simply put up for sale
to the highest bidder. This is generally done via the Dark Web, using encrypted
websites where anything can be bought and sold. The damage inflicted on the
compromised corporation can be terminal.
With
a single cyber-attack, a company can see its damage-control costs escalate out
of control, its customer goodwill shattered, the company put at risk of
lawsuits, and the company’s stock price decimated.
In
2014 the total number of detected security
incidents globally grew to 42.8 million with the number of breaches costing
over $20 million doubling. These
breaches were a litany of high-profile corporate and government security
breaches such as Target Corp., Home Depot, Neiman Marcus, Michael Stores, Sony
Pictures Entertainment, and Wall Street giant JPMorgan Chase, costing an estimated US$500-billion.
Bring on the Lawyers
Given
the rising number of cyber violations, it’s not surprising, there has also been
numerous class-action lawsuits filed in the U.S. from stakeholders for breach
of fiduciary duty, including a case against another hacking incident at Sony involving
the alleged theft and release of social security numbers and other personal
data, while electronic commerce giant eBay Inc. is facing a class-action
launched in July, 2014 by 125-million customers whose personal data was
breached early last year.
The shifting face of IT Governance
With so much at stake, there is now a shift beginning toward data governance being removed from the IT department and into the boardroom as part of the enterprise risk-management framework. Boards are only now beginning to figure out that oversight of cyber security has become as much a part of their financial duty as the accounting on the balance sheet. It is not the job of the board to manage data security but it is the job of the board to ensure it is managed as well as reasonably possible.
With so much at stake, there is now a shift beginning toward data governance being removed from the IT department and into the boardroom as part of the enterprise risk-management framework. Boards are only now beginning to figure out that oversight of cyber security has become as much a part of their financial duty as the accounting on the balance sheet. It is not the job of the board to manage data security but it is the job of the board to ensure it is managed as well as reasonably possible.
The IT literate CEO
Given
the current global tsunami of cyber-crime, CEO's need to sponsor projects that implement layered defense, mobile device management, staff training and also address the risks posed by third parties interacting with the
business. Focus should be on the rapid detection
of security intrusions, and an effective and rapid response.
But
whatever form of attack may occur, from now on the cyber security buck stops at
board level. Senior
executives are beginning to realize that the delegation of total responsibility for corporate security to the "IT Guy" is over.
No comments:
Post a Comment