There may have been a time where cyber security was the concern of the IT department alone, but this is no longer the case. The changing landscape of cyber security – and evolving legislation that’s coming with it – leaves C-Suite executives ultimately responsible for the security of company information. If they fail to do so, their jobs are at risk.
Data breaches have, unfortunately, become a part of business as usual for digital enterprises. The high-speed data networks that we have all become dependent upon are not inherently secure. Fortunately, the accidental data breach is less prevalent than it used to be, but a hacker with enough time, technology and tenacity will breach conventional “prevention” technologies.
The impact of a “successful” breach is dependent upon how well protected your data is when it falls into unauthorised hands. Emerging data protection legislation clearly differentiates between obligations regarding notification and remediation for encrypted and unencrypted data. If your data is protected by a certified, high-assurance encryption solution…good. If it isn’t…not so good.
We have discussed the True Impact of a Data Breach in a previous article, but the risk landscape has undergone a subtle change in recent years. While headlines promising multi-million dollar or euro fines under the GDPR certainly get attention, there has been a steady increase in cases where the impact of a breach is being felt on a more personal level.
Ultimately, someone must carry the can for what is a fundamental process failure. You can’t just blame the tired analyst who left a laptop on the last train home any more. Data protection has emerged out of the IT closet and has a seat at the boardroom table.
As the potential impact of a breach has become more significant, extending beyond business disruption and financial penalties to long-term brand damage, there has been an increase in C-Level executive casualties.
If your organisation is big enough to have a CISO, it’s likely that the buck will stop there. However, for many organisations it is another C-Level executive that will bear responsibility for data protection. Two high-profile examples that spring to mind are Yahoo and Sony Pictures.
In Feb 2015, Amy Pascal (former Co-Chairman of Sony Pictures Entertainment) stood down; less than two months after the hacker group “Guardians of Peace” published confidential data that included a series of controversial emails from Pascal herself.
In another example, Yahoo CEO Marrisa Mayer caught a lucky break in March 2017 and kept her job, but will miss out on her bonus and potentially a stock award after her handling of two breaches back in 2013 & 2014, in which over 1 billion user records were stolen; costing the company over $350 million. The company’s top lawyer wasn’t so lucky.
The personal impact of a breach is also being felt outside the commercial world, with high-profile public-sector figures not immune. As far back as 2011, the Texas State Controller’s office fired its heads of information security and innovation and technology; following a breach that exposed personal information, including the Social Security numbers, of over 3.2 million citizens.
More recently, in August 2017, two Swedish Ministers lost their jobs after a data breach exposed sensitive data, believed to include the identities of people in the witness protection programme.
Amongst the C-Level community, this is bound to raise more than a few eyebrows and encourage board members to become more actively engaged in the strategy surrounding data protection. Evolving legislation around the world goes beyond corporate responsibility and adds the potential for criminal prosecution in the case of negligence.
In short, the reputation of your business is not the only thing on the line in the event of a breach.