Rethinking data breaches and corporate responsibility
Article | November 2020
Cyberattacks have been around for over a decade, so why does the issue of cyber responsibility — a.k.a who’s responsible for a cyber attack in the workplace — remain? It turns out that “the current legal framework regarding data breaches “isn’t particularly detailed.” Beyond the laws that require disclosure of breaches to affected customers, there are barely any laws regarding who is actually culpable in the face of a data breach.
Cognitive dissonance about cyber responsibility only deepens the problem
There’s a lot of disagreement surrounding this topic. According to a survey from Willis Towers Watson, “there is a huge disparity across organizations as to who should be responsible for cyber security. The survey of over 450 companies found that almost 40% of executives felt that the board should oversee cyber, compared with 24% who felt it should be the role of a specialized cyber committee. . . A small portion of respondents surveyed believed it should be the responsibility of audit, risk or some other subgroup.”
This disagreement among employees can’t bode well for any organization’s security. Just how many holes exist in any given security chain because there is no precedent for corporate responsibility in the wake of a breach?
Someone’s gotta take the fall – and it’s not the cloud storage provider
In 2020, 85% of businesses have migrated their data to cloud storage. That’s great! It’s a much more secure solution than local storage. But the cloud isn’t not fool-proof, and breaches still occur.
Unfortunately for businesses, in the case of a cloud storage breach the storage providers cannot be held legally responsible. It’s the data owners — the organization storing their data — “that are responsible for data breaches and will pay any fines or fees that are the result of legal action.”
Consequently, it’s the CEOs who tend to take the blame for cyberattacks, especially when there are millions of dollars in damage. For example, when the credit reporting agency Equifax was hacked in 2017 and up to 143 million people had their personal information stolen, CEO Richard F. Smith stepped down from his position. He stated that the impact of the breach was so massive it would only be appropriate for the company to go forward with new leadership.
Reports indicate that, since cyberattacks will only increase in frequency and severity, up to 75% of CEOs may be affected by breaches by 2024.
The solution is to build a culture of cyber awareness
So, what’s a CEO to do?
In a large organization, it’s not enough to have IT departments, CISOs (Chief Information Security Officer) and CTOs (Chief Technology Officer) in place. Without a culture of cybersecurity woven into the identity of the organization, it’s only a matter of time until a breach occurs. This is not to say that CISOs or CTOs aren’t doing their job, but that it’s impossible for them to protect an entire organization if its individual members don’t have a certain level of cyber awareness. Everyone in the organization must be a cyber steward on the company’s ship.
“From finance, to HR, to marketing, to operations – everyone needs to be a good cyber steward. It’s really all hands on deck to make sure the entire organisation is adhering to the right protocols, practicing good cyberhygiene, and understanding how their specific job plays into the cyber landscape.”
Creating a culture of cyber awareness in the workplace is about more than just having an IT department and a CTO/CISO in place. It’s about building cybersecurity awareness among the entire organization. This means having appropriate awareness training and regular cybersecurity meetings, as a start. A strong cybersecurity culture means that everyone in the organization understands the role they play in keeping the security chain secure. It means that people know to take the IT department seriously when they administer warnings and it means that everyone follows the security protocols put in place by the organization. In a strong cybersecurity culture, every individual knows how to spot a phishing email, is educated on what not to do during a ransomware attack, can examine links to see if they’re genuine and knows never to access sensitive work-related documents in a public wifi setting, etc.
“The primary goal of a security culture is to implement change and get a buy-in from those involved – with a clear understanding of the results that can be delivered if everyone follows best practice. Employees must . . . clearly understand what they will get in return for their investment, even if it is just a more secure organisation to work for.”
At SOTERIA Global, we believe the cybersecurity blame game needs to come to an end. Guided by our mission to harness education to improve cyber resiliency around the world, we provide world-class cyber training to organizations to create cultures of cybersecurity.
At the end of the day, all of us should spend less time wondering “who takes the blame when a breach happens?” and instead focus on building organizations so inherently secure that breaches never happen in the first place.