C-suite responsibilities in data breaches

Australian executives and company directors will face increased professional responsibility for overseeing cybersecurity when Australia’s mandatory data breach notification law takes effect this month, warns Centrify.

Last year, US credit monitoring agency Equifax saw its share price drop by 13% after it reported a data breach affecting about 143 million Americans.

And in 2016, Yahoo suffered a $350 million reduction in its sale price to Verizon after reporting two massive data breaches affecting one billion accounts.

Centrify Senior Director APAC Sales Niall King said those incidents alone should grab the attention of executives and directors.

“The salient point is that these are not isolated events,” he said.

A recent Ponemon Institute study (PDF) identified that 113 publicly traded companies lost an average share value of 5% on the day after a material data breach was disclosed.

The study, which included 740 Australians, found that one-third of Australian consumers impacted by a data breach reported they had discontinued their relationship with the organisation that experienced the breach.

“The lesson is clear for both executives and directors: as data breaches have a direct impact on an organisation’s financial wellbeing, cybersecurity should a priority for the C-Suite,” said King.

King said companies with a high-security posture typically have a senior-executive chief information security officer (CISO) responsible for ensuring that information assets and technologies are protected.

“Rather than funding cybersecurity from the standard IT budget, mature organisations allocate an adequate budget for staffing and investment in enabling security technologies,” he said.

The C-Suite should recognise that passwords alone could not adequately protect confidential data, he added.

“No matter how complex nor how frequently changed, passwords alone are never strong enough to deter a determined hacker — or a disgruntled employee,” he said.

“Passwords are more of a problem than a solution. According to a 2016 Forrester report, 80% of data breaches leverage privileged credentials to gain access to the organisation. That statistic should send shivers down your spine.

King said that companies need to adopt a Zero Trust security model which centres on the concept that users inside a network are no more trustworthy than users outside the network.

This requires systems such as multifactor authentication to better protect data and to deter intruders.

King said business leaders need to assume that data breaches are a case of when, not if.

“This provides a much more realistic posture towards today’s technology threat environment,” he said.

“If you never experience a data breach, then well done you. However, if you do, then a strategy to contain the damage will pay for itself many times over. If the worst does happen, then proactive investment in cybersecurity is your best protection.”

Image credit: ©iStockphoto.com/Brian Jackson

Follow us and share on Twitter and Facebook