Information Technology

C-suite security culture

By Steven Foley, Security Consultant - Advent IM
Information Technology
Published: 1 September 2017

The elusive number that represents the real ‘cost of a data breach’ is something that has varied but normally increased in estimation every year. Many large scale data breaches have hit the headlines, but the genuine cost to business has proven hard to nail. We may not be all the way there yet but some high profile breaches have allowed us to grasp the concept more firmly, along with the failings and leadership cultures that can enables high cost breach.

For instance, the data breach that effected some 4% of Talk Talk’s 4 million customers back in October 2015 attracted a well-documented £400,000 fine levied by the Information Commissioner’s Office. The media focus, customer outrage and PR fumbles that followed, made the whole thing very high profile and how much it was actually going to cost TalkTalk, beyond the fine, was widely discussed. Further reports placed the real cost in the region of £60 Million and a loss of over 100,000 customers at the time. This was based on the cost of the fine, the drop in share price, the customer haemorrhage and the ensuing promotions to attempt to woo back customers with huge discounts. All of the PR that followed would have us believe that the business bounced back, however an examination of share price will show a fall from grace from 403 to the current 197[1].

We got closer again with Target’s 2013 breach that exposed personal details of reportedly 110 million customers and was reported to cost the organisation circa $300 million (US). Considering these two cases alone and not just the financial impact but also the reputational damage, then it’s easy to see why Information Security should absolutely be one of the most important strategic aims of any C-suite today. These types of breaches have led the US Senate to table the Cybersecurity Disclosure Act of 2017 that will require companies to explain whether they have cybersecurity expertise at board level and if not, then why it is unnecessary because of other steps taken by the company. These two incidents have been well reported and commented on and exampled often, but I have used them both because they allow many Security Professionals to do what for so long was a hard task, to place context to a data breach. To provide evidence on how much a data breach of a single record is likely to cost an organisation and when you can place an informed estimate on the cost of a breach, then it is easier to justify security improvements to reduce the risk.

Cybercrime is undoubtedly on the rise and we read almost daily of attacks against industry of all types with geography being no barrier. Beamish report that cybercrime in the UK in 2016 2.9 million British Companies were hit by some form of cybercrime at a cost of £29.1 billion. Forbes estimate that the cost of cybercrime in 2019 will be $2.1 trillion globally.

We are now in a time where consumer data is paramount and their right to privacy must be protected. GDPR and the Data Protection Bill should focus the minds of C level executives who are accountable to ensure that data is protected correctly and they should realise that they must drive and engage as they determine their cyber security strategy. Should Elizabeth Denham have her way then these executives will be made personally responsible as she recommended to the House of Commons Public Bill Committee. There needs to be a cultural change at board level. The suggestion of being made personally accountable and other legislation being tabled, should be seen as an opportunity to develop more awareness of information security and why it is a fundamental requirement and more importantly the benefit to be derived from enacting a strong and positive attitude toward it. The C-suite need to be open where they have short comings or a lack of understanding and allow themselves to be educated and engage more with security staff moving forward. This education piece will allow them to better understand the threat and risk to their organisation and more importantly improve investment in security solutions. A further opportunity from understanding their threat landscape and risks would be the ability to share information, not only internally to better protect their organisation, but to also share relevant threat information amongst similar organisations (let’s be honest, the attackers have been collaborating for years). It might be wishful thinking on my part but this open approach would strengthen the organisation by learning and sharing lessons of past incidents and others experiences.

C-suite executives need to adopt this positive culture, embrace it and be seen to be doing it. Looking to positive stories from other organisations and how they posture themselves is no bad thing. Understanding their organisation and their risks is key. Improving staff awareness is paramount and striving for a more risk-aware culture is hugely important, empowering those staff where possible. They should also ensure governance, monitoring and logging, incident response and business continuity are engrained in everything the company do.

Finally, and most importantly, it’s good to talk and even better to share!

[1] Source: Google Finance – AOL Money – Yahoo Finance