There’s no job security when your job is security
“There’s no job security when your job is security”. That’s the kind of line that would be enough for any CSO, CIO or even CEO to start penning their resignation letter.
The reality is obviously somewhat different. However if the history of the last 12-18 months has taught us anything, it is that no-one is exempt from a high-profile data breach. Breaches so severe that jobs can be lost and reputations so badly damaged that businesses are put at risk.
Finally, it seems, the penny has dropped. Organisations including the likes of TalkTalk, Facebook, Gmail and Twitter now accept that no set of security measures is completely infallible to a breach.
As a result, they are starting to assess two things.
The cost of a data breach
Research carried out by IBM and the Ponemon Institute earlier this year found that on average, the global total cost of a data breach increased from $3.52m to $3.79m within the last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 in 2014. In the case of TalkTalk, it is estimated their breach could cost as much at £35m.
Of course, a monetary value also tells us nothing about the inconvenience and emotional cost of a breach to the real victims of PII loss – you and me. Consumers are now much more aware both of the risks of a breach and their rights if the worst happens. For example, research by Deloitte warns that three-quarters of customers would reconsider using a company in the event of a breach.
What to do when the inevitable happens
Probably as annoying, if not worse than an actual breach, is a company who appears to have no grip on exactly what happened or how bad the breach was. Again, take TalkTalk as an example. Their high-profile breach and the subsequent media circus that followed it was made worse by their own confusion about what had happened and the lack of communication to their already worried customers. In fact, it was more than 24 hours before customers were even notified there had been a breach. What then followed was confusion about what data had been stolen, the number of accounts affected and whether the stolen data had been encrypted in the first place. TalkTalk’s CEO continues to cling onto her job and claims to currently have the support of the founder and the board. However, one has to question how long this will be the case, particularly once the true implications of the breach are felt through lost revenue and lack of customer support.
The risk to data extends further than just a cyber-attack
Organisations need to consider the complete lifecycle of the data they own and manage, therefore understanding where the vulnerabilities lie. This could, of course, be an external cyber-attack orchestrated by a third party intent on accessing and profiting from sensitive data. However, it could also be an inexperienced employee sending highly sensitive information in a clear text email to the wrong recipient, as highlighted by the recent email breach at the North Carolina DHHS.
As research shows, often the biggest risk to any business is human error.
So what does a CSO, CTO or CEO make of this? In time I think we will reflect on these high-profile breaches and realise that they signalled a gear change in data security. At an exec / board-level, suddenly focus and – more importantly – budget are being allocated to better understand all aspects of data security across a business. No longer will complacency rule, because everyone knows that in all likelihood at some point they will be forced the answer the question:
“You had one job: Secure the data. What happened?”
If this results in greater information assurance, more vigorously tested security measures and processes, then it has to be a positive for our data and our confidence as consumers in the market.