Data Breaches Surging: Who’s to Blame?
Security and data breaches at Giant companies have now become staples in the news. There is no doubt that cybersecurity has become a fundamental challenge in times like today—as individuals, corporations, and government agencies are becoming victims of cyber-attacks every other day.
The year 2017 was a year of major breaches. Verizon, Equifax, Hipchat, Wonga, and multiple other healthcare organizations are a few to name. And then comes the Cambridge Analytica and Facebook data scandal that’s been everywhere. These are massive data breaches unlike the breaches conducted by employers when they are using Xnspy or other spyware apps for digital surveillance.
photo/ Jan Alexander
A key to handle data breach is to first discover why it happened which is why lots of organizations spend their time and money to determine the sources. It is not always easy to determine who is accountable or responsible for the breach.
Even though organizations in all industries rank cybersecurity as the most pressing issue, and despite the rising threats, a typical cybersecurity budget is profoundly underfunded. Steve Vintz of Harvard Business review says that the IT budget makes up for three to seven percent of a company’s revenue while the security budget is 5 percent of what the IT department spend. In other words, a company allocates over 1 percent of its revenue to safeguard against catastrophic attacks and breaches.
This explains why we hear about a new data breach every other day. A consumer or a shareholder perhaps would blame the organization itself for the breach just as we all blame Facebook for mishandling our data. If you just zoom in to take a deeper look at the scenario, there are a lot of people responsible for implementing and maintaining the security measures to protect a company’s data. Let’s take a look at them:
CEOs and Business Managers
When a business does not allocate enough budget to implement advanced IT security solutions, the fault undoubtedly falls on the ones who make financial decisions like the business managers or CEOs.
This was pretty clear from the Equifax breach. Equifax suffered a massive data breach last year in September, exposing personal and financial information of about 145 million customers in the USA. The information that was compromised included the social security numbers, birthdays and credit card info of the customers. The former CEO of the company, Richard Smith, along with the interim CEO were called to testify regarding this compromise. Senator Cory Gardner questioned Mr. Smith and the interim CEO about the lack of encryption of customer data at Equifax. It turned out that at the time of the breach, Equifax was not encrypting user data. That’s because Smith believed that encryption is not a complete solution to protect data, it’s just one way of securing it. Therefore, it was decided to leave the data unencrypted.
It makes sense to assign the blame to the CEO because they are responsible fordetermining which corporate data security partners to work with.
Chief Information Security Officers (CISOs)
In some scenarios, the data breach occurs even after a company has spent an adequate budget on the cyber-attack prevention. In that case, the next link in the chain is the CISO since they are the senior-level executive responsible for not just executing but overseeing the cybersecurity strategy of the company. A 2017 survey says that 21% of the IT security professionals blame CISOs for data breaches.
Some of the roles of CISOs include hiring IT security staff, developing secure business policies, disaster recovery planning, conducting security awareness training for employees, evaluating and purchasing cybersecurity products and managing responses to the cybersecurity incidents.
Employees
It’s the employees who are to be made responsible after the CEOs and CISOs. This was pretty evident from the 2018 Data Breach Investigation Report by Verizon. It revealed that 25 percent of the data breaches over the past have been caused by insiders. Majority of these breaches were the result of employee blunders, social engineering, and lack of cybersecurity knowledge.
Yes, even if an organization deploys the right system and policies to defend itself against the data security war, breaches can still happen because of human error. Sometimes, even the smartest amongst us fall for social engineering scams particularly if they are well-crafted.
Consumers
Some share of the blame goes to the endconsumers too. If they are trusting a dubious organization with their personal and bank information, not using strong password protection, using public Wi-Fi etc., they are actually handing over their sensitive information to criminals and attackers themselves.
Eventually, a data breach is a shared responsibility
When a data breach occurs, there isn’t a single person to blame because data risk management is a team effort. Yes, it’s mostly the CEO’s responsibility because if you are running a business that is collecting and storing information about customers, consumer privacy should be in place. The CISO should not just implement the data security and privacy policies, but also communicate these within the organization. Data risk management should be a proactive engagement for all employees. A few bad decisions made by a few personnel in the company can easily have a snowball effect and lead to a devastating breach. Even if the organization is not somehow responsible for the breach, it should take the responsibility for ending it.
Author: Ravi Kumarr Gupta
