Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Leadership

Meet the MetaCompliance Leadership Team

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Data Breach: Who Carries the Can?

Data breach

about the author

Share this post

Data breach statistics offer sober reading: if you read this blog regularly, you’ll have noted that data breaches are common and often start with a social engineering attack augmented by phishing.

In 2021, Cisco recorded that 90% of data breaches begin with phishing, most of these breaches relying on targeted spear-phishing. A cyber attack or even an accident that leads to data loss has many consequences. But what happens after a data breach occurs? Someone usually must take ownership of leaving the door open to cybercriminals, so who carries the can when data is breached?

The People Involved In a Data Breach

A data breach has a far-reaching impact on the people in an organisation. A cyber attack touches on the very heart of a business, from the top brass to the shop floor employee:

The CEO

A CEO plays an integral part in how cyber security is viewed in the organisation. A culture of security comes from the top down, and a data breach reflects a chink in this culture. CEOs are also in the sights of cybercriminals, with scams such as CEO fraud and Business Email Compromise (CEO) using a CEO’s authority to commit fraud. 

Analyst Gartner sums up the situation by predicting that by 2024, 75% of CEOs could be personally liable for cyber-physical data breaches if their company did not focus on or invest sufficiently in cyber security. When a data breach occurs, a CEO must be ready to manage the situation and mitigate its impact on the business.

The Head of Security or CISO (Chief Information Security Officer)

The head of security is the obvious first point of call when anything security-related goes wrong. In a Tripwire survey, 21% of IT decision-makers would lay the blame for a security breach at the foot of the CISO. This is hardly surprising as a CISO’s job involves decision-making on best security practices and supervising their enforcement.

So, when a data breach occurs, the CISO or head of security will be the one on the ground picking up the pieces alongside their team.

The Security or IT team

IT or security team members are at the cutting edge of a data breach alongside their managers. It is their job to identify and respond to a data breach. This is done either internally or by a third-party managed security service provider. However, the time to identify a breach can be lengthy.

For example, an IBM survey found that it takes, on average, 212 days to detect a breach and 75 days to contain it. That involves much work for IT and security personnel, taking them away from work on core projects.

Compliance Officer

The compliance officer is under enormous pressure after a data breach. It is their job to ensure that the regulations are adhered to post-breach. This means dealing with the regulation supervisor to notify them of the data breach metrics. Depending on the breach’s impact and the law, this may be within 24 hours of a breach discovery.

Compliance officers must also deal with a breach’s far-reaching fallout, including dealing with customer and press notifications. Finally, it will be the compliance officer’s job to work with the CISO and others to rectify the situation that caused the data breach to prevent it from reoccurring.

Marketing and PR

Marketing may seem entirely outside the remit of a data breach response, but marketing and PR must increasingly play a role. Embarrassment and harmful brand exposure are often a consequence of a data breach.

A report into the financial costs of a cyber attack found that 71% of CMOs were convinced the highest cost of a security incident was the loss of brand value. Further, an Okta and YouGov survey found that 39% of British employees have lost trust in a company that misused their data.

Trust is broken when a data breach happens. This materially affects the marketing and PR of a company. The marketers in an organisation must work to resolve the impact of a data breach on an organisation’s brand.

Employees

The direct responsibility for preventing and the aftermath of a data breach may lie at the door of senior management. Still, employees are also impacted: from a drop in morale to increased stress levels to disciplinary actions for accidental data exposure, employees are part of the broader responsibility spectrum of a data breach. Therefore, employees must be part of a general security culture to empower them.

Real-Life Data Breach Consequences

The impact of a data breach does not only include financial consequences; employees are materially affected, often losing their job, and some may even end up in prison. For example, a 2018 report from Shred-IT found that 30% of UK companies that suffered a data breach terminated an employee’s contract for negligence.

Some examples of recent data breaches that show the far-reaching impact on an organisation and who ends up carrying the can, include:

Uber: the car hire company suffered a data breach in 2016 that affected 57 million customers. However, the head of security (Joe Sullivan) at Uber failed to disclose the breach. Instead, the security head allegedly told his staff to keep knowledge of the breach ‘tightly controlled’ and to present the incident as part of a bug bounty program. Sullivan even went as far as to pay the hackers $100,000 as part of the ‘bug bounty,’ the hackers agreeing to sign non-disclosure agreements as part of the deal.

The result of all this subterfuge has devastated both Uber and the head of security. Sullivan was recently found guilty of not disclosing the breach and faces a maximum of five years in prison for obstruction and three years for a misprision charge. As for Uber, the company was fined $148 million (£130 million) in 2018.

DWP (Department for Work and Pensions): back in 2010, 26 employees were sacked for ‘snooping on personal data.’ The data was stored in the Department for Work and Pensions (DWP) Customer Information System (CIS). The issues were blamed on a ‘lax security regime’ with poor procedures for following up on notifications and alerts.

Singhealth: a data breach at Singhealth in 2018 affected 1.5 million patients. As a result, two employees, the Citrix team lead and the security incident response manager, were found to be negligent and were consequently sacked. Also, personal fines were issued to five senior management executives, including the CEO.

How to Avoid the Personal Consequences of a Data Breach

Data is everyone’s business, and the security of data should be an intrinsic part of your security strategy. This is achievable if a business works to develop a security-first culture that permeates the entire organisation. As shown here, we all share the consequences of a data breach.

However, those consequences can be controlled by creating a culture of security where everyone in the organisation receives education on how cybercriminals operate, their part in keeping data safe, and how to spot phishing attempts.

Key Steps to Effective Data Breach Management

Other Articles on Cyber Security Awareness Training You Might Find Interesting