Why executives need to care more about cybersecurity
I recently taught my cloud security class to a multi-national organization and was asked how to discuss information security and cybersecurity with executives. I’ve been asked this question before, and it is something that has been on my mind lately so I thought I’d write about it. I’ll explain why executives at the highest level should know more and invest more in cybersecurity. In fact, I’ll be writing a modern book one blog post at a time on the topic of cybersecurity for executives. In the next post, I offer a strategies for executives trying to solve these problems in ways that provide a positive return on investment instead of just buying a product or service and hoping it works.
Most executives probably understand that data breaches are costing organizations money in terms of fines, fees, legal battles, but let’s break this down in a bit more detail. At one point I heard a security professional suggest not to use the cost of a breach as a basis for more investment because the losses associated with a breach do not offset the upside of skipping security. That cost-benefit analysis is going to be relative to the organization and the size of the security incident as I will explain.
This equation is also changing now that GDPR can cost an organization 4% of an organization’s worldwide annual revenue. Many other countries and states are considering or have passed privacy and data breach laws that may incur fines on top of that or even if you don’t serve European customers. More legislation will be coming if companies do not take responsibility for information security in more effective ways — in fact, it may be too late. New privacy legislation is delaying business initiatives and costing companies money as explained by the CISO of Sumo Logic, George Gerchow, in a recent podcast I was on with him.
What is the cost of a data breach?
The average cost of a database breach per the Ponemon Institute in 2018 was $3.86 million. For some companies, this may not be a large number. That dollar figure is going to hurt smaller companies more than bigger companies. But remember this is also an average. There are different sizes of data breaches and a large company with more money or data may be a bigger target. Ponemon estimates the cost of a breach of 1 million or more records is $40 million and the cost of a mega breach to be $350 million dollars.
Since the initial writing of this blog post Equifax has to pay up to $700 million dollars in a breach settlement.
The harm to the brand of an organization after a data breach may be hard to quantify but consider this. The cost of the breach includes lost revenue if customers choose not to use your product, invest in your company, or buy from your store or web site after a breach. Although some companies bounce back after a breach, who can say that they would not have had even greater success without the breach? How far ahead did their competitors advance while they were dealing with the incident? If organizations lose financial data, the effect on a brand may be more detrimental according to past Verizon data breach reports.
Lost time is also a factor in a data breach. Do you want to be spending your time talking to lawyers, the news media, and having your support staff explaining to customers what happened and if they are affected? I have seen entire support teams tied up with a big issue and other staff members had to get on phones to cover emergencies the existing support staff could not handle alone. I’ve also seen teams pulled off big projects to triage security issues when sufficient resources were not deployed in advance to understand and prevent the problem. What positive things could you business be doing instead of dealing with a data breach?
Executives may be personally affected by a data breach
Recent large scale data breaches have resulted in CEOs testifying in front of Congress including the Equifax and Marriott breach. Some executives involved in massive data breaches and privacy scandals have been speaking to governments all over the world. For example, Facebook’s CEO, Mark Zuckerberg, recently visited the Irish parliament. In some cases, CEOs, CISOs, and others have lost their jobs including the Target and Equifax breaches. Hiding a breach did not go so well for the subsequently fired CISO of Uber. A bill has been proposed in the US that could result in jail time for executives. Australia’s parliament passed a law that includes imprisonment of up to three years for company executives that allow users to publish violent content on their platforms.
Board members may be held liable and face lawsuits
This article from Goodwin Proctor, Breaches in the boardroom: What directors and officers can do to reduce the risk of personal liability for data security breaches, sums up a landmark case and provides some recommendations for moving security from the server to the boardroom:
In its 1996 Caremark decision, the Delaware Chancery Court declared that, in such actions, directors can be held personally liable for failing to “appropriately monitor and supervise the enterprise.” The court emphasized that a company’s board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so can constitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”
We are in a cyberwar
This statement is not political, and it is global — it applies to any organization in any country where people care about the well-being of their families and fellow citizens. It is not an attempt to spread FUD (fear, uncertainty, and doubt). It is just a fact. I have been researching cybersecurity for years — since my first data breach and through my time working on the security research team for a security vendor. I am a member of Infragard and other organizations that provide information about cyber attacks and breaches. I spent over five years getting a masters degree in information security engineering from the top cybersecurity professionals in the country who have worked for elite security firms and in government organizations. I also have taught classes to government organizations and individuals involved in national security. I hold a SANS GIAC Security Expert (GSE) certification. I research. A lot.
A cyberwar is going on between organized crime and organizations and between countries. Reports indicate that countries are working together with those involved in organized crime. Organizations leveraging false information have leveraged it as propaganda to sway opinions. Many computer systems and IOT devices are being controlled by C2 (command and control) servers to do their bidding. Organizations are losing proprietary information in data breaches that cause loss of business and competitive advantage. If you want to read more about it, I could give you a whole list of books and articles, but I’m not going to do that here. Maybe I’ll save that for another blog post. I also talk about how these attacks work in my class.
What you need to know is that your systems are under attack, and in some cases even though the attack on your system may not harm your business or your network and you may not even notice it, the compromised systems may be used to harm other people and systems. No matter what country you live in, you may have a vested interest in protecting systems against cyberattacks that could ultimately harm hospitals, industrial control systems, communications systems, election systems, financial organizations, and more. The ultimate damage could be worse than a data breach of your organization.
These are the things I would tell all executives if I could, and I do when I give presentations or teach organizations about cloud security. Hopefully, this will help you when trying to obtain investment for cybersecurity initiatives at your organization. In a subsequent post, I will explain what executives can do to help prevent data breaches and improve return on cybersecurity investments.
Teri Radichel — Follow me @teriradichel
© 2nd Sight Lab 2020
Want to learn more about Cloud Security?
Check out: Cybersecurity for Executives in the Age of Cloud.
Cloud Penetration Testing and Security Assessments
Cloud Security Training
Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training
Have a Cybersecurity or Cloud Security Question?
2020 Cybersecurity and Cloud Security Podcasts
2020 Cybersecurity and Cloud Security Conference Presentations
Prior Podcasts and Presentations
Azure for Auditors ~ Presented to Seattle ISACA and IIA
OWASP AppSec Day 2019 — Melbourne, Australia
Bienvenue au congrès ISACA Québec 2019 — Keynote — Quebec, Canada (October 7–9)
White Papers and Research Reports