“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” – Robert S. Mueller III, Director FBI
As pessimistic as it may sound, it’s true, especially when we take into account that the 2010s have seen some of the largest security breaches in history. Sure, your business may not have experienced a massive data breach comparable to those of Sony Entertainment or JP Morgan Chase, but losing a USB device with confidential data, or getting malware that compromises networking is also considered as a ‘breach’.
Although that does not show poor importance being given to security, which is just as important as any other aspect of your business, who is to blame in such cases? The IT department, the service providers, or the C-Suite? Well, the answer is not as straightforward as it may seem!
Consequences of a Security Breach
The impact of a data breach is subjective to the type of breach and the relative size of the organization. Nevertheless, it cannot be stressed enough that the data breach is now an epidemic. According to Ponemon Institute, the average data breach costs in 2015 increased by 23% from 2013, accounting for $3.8 million in losses. This figure, of course, does not represent the reputation loss which, in turn, causes a loss in future sales.
A small business that’s dealing with a consumer data leak will likely be on the verge of insolvency, due to the fact that SMEs have less market share and power. Brand value is hard to create, and a small business in this situation may not be able to restore the reputation. A small business may actually take security even more lightly than a large organization, partly due to the belief that ‘we are too small to target’. Another reason as to why security measures are not as strongly enforced in SMEs is because security is almost never incentivized, which leaves a room wide open for noncompliance related penalties.
While large organizations have deep pockets or little oversight in cross-subsidizing to avoid more severe penalties of noncompliance, they are subject to broader data breaches. These can have devastating ripple effects, not just on the organization but also the industry it operates in. The media coverage the organization receives doesn’t help their case either.
Take the Ashley Madison case as an example. While its business model never garnered respect, the media coverage the hacks received has made it a laughing stock. But what is a scary proposition for any large organization is not the immediate effect of the security breach, but the long term implications that come with direct and hidden costs. These include the reduced profits over possibly an indefinite period of time, downsizing as a means to reduce costs, and investing heavily in restoring the reputation that took years to build. That’s not even counting the recovery efforts and compensating the affected consumers!
So, Who’s Responsible?
This is a problematic question. According to the 2015 US Cybercrime Survey by PwC, nearly half of the Boards consider cyber security as an IT matter, and not an organization-wide issue. However, this perception is changing from the past few years, as according to a survey by the New York Stock Exchange (NYSE), more Boards are holding the CEO, followed by the Chief Information Officer (CIO), the C-Suite, and the Chief Information Security Officer (CISO) responsible for security breaches.
A major report published by the Culture, Media, and Sport Committee puts forth recommendations for measures that can be used to make the IT department as well as the CEO more accountable. It goes on to say that CEOs should directly be held accountable for security breach.
A positive change has been that 87% Boards and CEOs are now concerned about the cyber security from the past few years. Although security is a responsibility of the whole organization, it is still perceived as a job that must be fully undertaken by the IT department. In many instances of the blame game, which by today’s security standards is a bitter reality, the IT department has to face the consequences.
The C-Suite Disconnect
Ideally, any organization that goes through a security breach should assess all the factors that resulted in the breach and determine whether it occurred because of poor security policies (where the C-Suite is accountable), or poor implementation of security policies (where the IT department is accountable). In most cases, tha lack of the C-Suite in collaborating with the IT department and implementing security policies that are in-line with the company’s needs is evident.
Is it because of the lack of knowledge, or the lack of involvement of the C-Suite that leads to security breaches?
Both! Intel Security claims that in the UK, just one-third of the C-Suite understands the risks associated with cloud computing. Despite that, most of these C-Suite employees were involved in the purchasing and implementation of cloud based systems. IBM also published a study where it highlights that only 17% of organizations surveyed actually have the CEO, CISO, and C-Suite collaborating with the IT department on enforcing security measures and strategies.
A major reason for this disconnect is that C-level employees have yet to realize that technology has become an integral business investment, and like any other investment, there are risks attached to it. Needless to say, the C-Suite has to be more involved in the process in order to create a corporate culture where security is viewed as a responsibility rather than a task reserved for the IT department!
Investing in technology means you should not turn a blind eye to the risks involved, but must assess all potential risks and issues associated with an investment. So when you’re making an investment to optimize performance and speed, why not make one that addresses the risks associated with that investment?
PerfectCloud is a patented security platform that provides access management with data encryption on the cloud. Data encryption across all levels guarantees 100% elimination rate of failure which prevents unauthorized access. With centralized data management, you gain comprehensive control over security on the cloud, which many promise but fail to deliver. PerfectCloud empowers your business and keeps you in full control. Only you hold the key to the encrypted data across all networks in your business. With improved security, you can now implement strategies that protect your business, your customers, and your reputation!
PerfectCloud – Delivering Convenience with Compliance!