Most executives in businesses both large and small are confident that they are well prepared for cyber threats when they're not. This in itself is a huge risk. They believe that because they've increased investments in cybersecurity that their data is safe.
Many believe they are – primarily due to 7 overlooked security standards & 7 negative behaviors.
Most executives in businesses both large and small are confident that they are well prepared for cyber threats when they’re not. This in itself is a huge risk. They believe that because they’ve increased investments in cybersecurity that their data is safe.
Their confidence is misplaced – why is this?
Because they often overlook 7 well-known security standards:
Do you believe CEOs are to blame for so many of today’s security events?
These misinformed individuals are often overconfident in their organization’s ability to tackle specific threats. For example, they are “sure” that if a mobile device were stolen that they would know what data was on it and be prepared for the level of risk to their business. They are also “sure” that they have what they need to protect their customers’ and employees’ personally identifiable information.
It’s no wonder the number of data breaches is reaching epidemic proportions. It seems like every few weeks we learn about another devastating security breach that strikes a large corporation – and, we’re not even hearing about the smaller ones. If CEOs and business leaders aren’t informed when it comes to the security posture of their businesses, can we trust our private information with them? This shortsightedness and complacency borderlines on neglect.
According to Juniper Research cybercrime is on the rise and will cost businesses $2.1 trillion by 2019.
Take the Equifax breach for example:
Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information, including names, birthdays, credit card numbers and Social Security numbers, of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled “Protecting Consumers in the Era of Major Data Breaches.” During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax’s use of, or lack of, encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. “Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?” Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security but eventually confirmed that a decision was made to leave customer data unencrypted at rest. “So, a decision was made to leave it unencrypted at rest?” Gardner pushed. “Correct,” Smith responded.
In their “2016 Cost of Data Breach Study: Global Analysis,” IBM and
Ponemon calculated a standard cost per loss of a stolen record of to be $158. This number includes direct and indirect expenses, such as remediation and in-house investigations. It also includes the value of damage to the brand, and loss of current as well as future customers.
Can a CEO’s Overconfidence Lead to a Data Breach?
It appears the answer to this question is YES.
The following are 7 behaviors that CEOs exhibit which are directly related to the increasing incidence of data breaches.
Security experts insist that employees must be exposed to a security policy five times before they understand its importance and practice it. They stress the importance of making policies easily accessible and conducting periodic cybersecurity awareness training.
Employees should know and understand that if they violate cybersecurity policies what punishments they can face. Enforcement must be consistent but doesn’t need to be extremely punitive. If an IT department discovers an infraction, they can block the prohibited activity with firewalls, router blacklists and content filters. This way the violation remains private and a manager can quietly discuss the problem with the employee. The severity of the punishment should reflect the degree of the violation. Unfortunately, in some cases, this means an employee must be terminated.
Most CEOs try to hide employee dismissals due to security policy violations. However, as data breaches increase, and regulations like FINRA and HIPAA result in businesses facing severe consequences, more are recognizing the need to use dismissals as an example for other employees.
Does your organization practice and enforce your IT security policy?
If employees don’t know or understand how to recognize cyber threats and maintain the confidentiality of data, it’s usually the fault of the CEO who disregards the importance of training. By doing this, they risk damage to their business and valuable data assets, as well as their corporate reputation.
Laws under the U.S. Federal Sentencing Guidelines require some form of training and awareness activities to prevent data breaches. CEOs must ask themselves the following:
The Verizon 2016 Data Breach Investigations Report states that no location, industry or organization is immune from attack.
Sixty percent of CEOs don’t adequately protect their business’s privileged accounts.
Small businesses are targeted in two out of three cyber attacks.