Will financial penalties put cyber defence at the top of every board’s agenda?
Over the past few years, we haven’t been able to read the news without being hit by another salacious data breach headline. More recently, financial sanctions are being implemented, and, if the damage to brand reputation and trust didn’t force business leaders to act, these fines should certainly force cyber defence up the agenda in board meetings.
Carphone Warehouse was recently landed with a £400,000 fine for a ‘striking’ number of failures that led to a data breach in 2015. TalkTalk was fined the same amount for a similar breach in the same year. Equifax, who lost data from 145 million consumers, has reportedly suffered $87.5m in lost income. A 2017 study by Centrify and the Ponemon Institute put the average cost of a data breach at $4 million, the average stock price drop at 5%, and the average revenue decline at $3.4 million, but is fining a company enough to ensure organizations bolster their security in future?
The lifecycle of a data breach
The number of global cyber-attacks is growing, and just as familiar as a major data breach is the fall out cycle; breach, panic, a quick fix solution, cover-ups over who knew what and when, lawsuits and constant finger pointing. This was evident in the case of Uber, which concealed a hack that affected 57 million customers and drivers, and Equifax, where it was revealed that more data was stolen than the company originally reported, later confirmed that over 145 million people were actually affected.
Whenever a breach occurs, business leaders should locate and identify the incident, isolate it and research why it has happened. An open culture is vital, and employees must feel able to share opinions and ideas on security with business leaders. Companies that have a culture of reprimand may suffer from incidents being hidden from their management through fear of persecution and this can lead to holes that business leaders are unaware of.
Despite talk of cyber-attacks increasing in sophistication, we have seen a rise in simple attacks using traditional methods, and company culture is often to blame. WannaCry, the breach that affected 81 NHS organisations in England, is just one example of a well-crafted attack that lacked sophistication. An employee received a malicious file and opened it innocently, resulting in the malware being downloaded and the internal system attacked. Modern automation technology enabled the attack to spread quickly like a disease, moving from machine to machine undetected.
Traditionally the focus from organisations has been on prevention. There needs to be a shift in mentality from an “if I get attacked” mindset to “when I get attacked”. Too much time is wasted between infection and detection – the global average is 146 days – so businesses need to invest money in more advanced detection capabilities.
Taking cyber security seriously
It’s easier to invest in the tools that are known, which has stopped businesses moving away from the prevention mindset. It costs more to invest in detection capabilities, and with businesses reluctant to spend money until there is an incident, the fine may seem worth the risk.
Naive perhaps, given the reputational damage and disastrous effect on customer confidence, but the culture and mindset surrounding cyber security needs to change. With financial sanctions now being implemented, the cost of a data breach is clear and cyber security should be pinned to the top of every board’s agenda.