Execs face the chop after being hit by data breach

Vacant chair. Image courtesy of Shutterstock.

Vacant chair. Image courtesy of Shutterstock.

We see more and more breaches being reported in the media – not only here at Naked Security, but also in the mainstream press.

That’s not a bad thing – the increased awareness of breaches among the general public may just focus people’s minds on why it is so important to be aware of the level of information they are sharing with companies, and the way in which that data is secured.

Now, as reported this week by IT Pro Portal, the number of executives falling on their swords in the wake of a breach is up.

While I suspect there may have been many post-breach executive casualties, two high-profile examples are given.

The first – Gregg Steinhafel, CEO of Target – felt compelled to walk six months after we learned how the retailer had 110 million records stolen by hackers in December 2013.

And the second – Katherine Archuleta, the former head of the US Office of Personnel Management – resigned after a massive hack which left millions of federal employees’ records compromised.

It could be argued that both Steinhafel and Archuleta were unfortunate victims carrying the can for a number of failings which they couldn’t reasonably be expected to control in their entirety.

But there is of course a counter argument to be made – namely, that their position as senior executives mandated that they were responsible for the entire security function, a fact that was undoubtedly key in their decision to walk.

And, as IT Pro Portal says, what other option did they have?

Once a breach has been discovered, the damage is already done. What’s left is a game of musical chairs with the loser left standing, holding the blame.

As boards wake up to the reality of what happened they quickly realise the potential reputational and financial costs, possible regulatory implications and maybe even the threat of claims of individual negligence. At this point I can well imagine a game of pass the parcel ensuing, with no-one wanting to win.

While incident response plans kick in after a breach, the board will likely look to see if all reasonable security precautions had been taken.

Such precautions are not as simple as they once were – installing the latest patches and ensuring the corporate anti-virus software is up to date is no longer all you need in the light of the growing and ever-more sophisticated attacks faced by businesses.

Thus, executives are responsible for ever increasing security budgets and evolving defense systems that are becoming more and more complex.

And even that may not be enough – in the UK the Information Commissioner’s Office (ICO) recently disclosed how 93% of 459 breaches in Q4 of 2014-2015 were caused by a human element, either deliberately or, far more often, inadvertently.

This shows how even the best laid plans can be undone by the unexpected actions of staff who are either lacking in security training or awareness, or who are susceptible to social engineering – a prime example being the unfortunate tale of Thomas Meeston, CFO at Fortelus Capital Management, who lost his job and is being sued by the fund after being duped by a Friday evening phone call which cost the firm $1.2m.

So, what are executives to do at a time when criminals are increasingly understanding the value of databases and the personal and financial information stored within them?

A “We take security seriously” statement after the event doesn’t cut it with a public who would much prefer their data didn’t find itself on the dark web in the first place.

Instead, executives need to realise that the security parcel does end up in their hands – whether they like it or not – and plan and provision accordingly.

Image of vacant chair courtesy of Shutterstock.