Data breach statistics offer sober reading: if you read this blog regularly, you’ll have noted that data breaches are common and often start with a social engineering attack augmented by phishing.
In 2021, Cisco recorded that 90% of data breaches begin with phishing, most of these breaches relying on targeted spear-phishing. A cyber attack or even an accident that leads to data loss has many consequences. But what happens after a data breach occurs? Someone usually must take ownership of leaving the door open to cybercriminals, so who carries the can when data is breached?
The People Involved In a Data Breach
A data breach has a far-reaching impact on the people in an organisation. A cyber attack touches on the very heart of a business, from the top brass to the shop floor employee:
A CEO plays an integral part in how cyber security is viewed in the organisation. A culture of security comes from the top down, and a data breach reflects a chink in this culture. CEOs are also in the sights of cybercriminals, with scams such as CEO fraud and Business Email Compromise (CEO) using a CEO’s authority to commit fraud.
Analyst Gartner sums up the situation by predicting that by 2024, 75% of CEOs could be personally liable for cyber-physical data breaches if their company did not focus on or invest sufficiently in cyber security. When a data breach occurs, a CEO must be ready to manage the situation and mitigate its impact on the business.
The Head of Security or CISO (Chief Information Security Officer)
The head of security is the obvious first point of call when anything security-related goes wrong. In a Tripwire survey, 21% of IT decision-makers would lay the blame for a security breach at the foot of the CISO. This is hardly surprising as a CISO’s job involves decision-making on best security practices and supervising their enforcement.
So, when a data breach occurs, the CISO or head of security will be the one on the ground picking up the pieces alongside their team.
The Security or IT team
IT or security team members are at the cutting edge of a data breach alongside their managers. It is their job to identify and respond to a data breach. This is done either internally or by a third-party managed security service provider. However, the time to identify a breach can be lengthy.
For example, an IBM survey found that it takes, on average, 212 days to detect a breach and 75 days to contain it. That involves much work for IT and security personnel, taking them away from work on core projects.
The compliance officer is under enormous pressure after a data breach. It is their job to ensure that the regulations are adhered to post-breach. This means dealing with the regulation supervisor to notify them of the data breach metrics. Depending on the breach’s impact and the law, this may be within 24 hours of a breach discovery.
Compliance officers must also deal with a breach’s far-reaching fallout, including dealing with customer and press notifications. Finally, it will be the compliance officer’s job to work with the CISO and others to rectify the situation that caused the data breach to prevent it from reoccurring.
Marketing and PR
Marketing may seem entirely outside the remit of a data breach response, but marketing and PR must increasingly play a role. Embarrassment and harmful brand exposure are often a consequence of a data breach.
A report into the financial costs of a cyber attack found that 71% of CMOs were convinced the highest cost of a security incident was the loss of brand value. Further, an Okta and YouGov survey found that 39% of British employees have lost trust in a company that misused their data.
Trust is broken when a data breach happens. This materially affects the marketing and PR of a company. The marketers in an organisation must work to resolve the impact of a data breach on an organisation’s brand.
The direct responsibility for preventing and the aftermath of a data breach may lie at the door of senior management. Still, employees are also impacted: from a drop in morale to increased stress levels to disciplinary actions for accidental data exposure, employees are part of the broader responsibility spectrum of a data breach. Therefore, employees must be part of a general security culture to empower them.
Real-Life Data Breach Consequences
The impact of a data breach does not only include financial consequences; employees are materially affected, often losing their job, and some may even end up in prison. For example, a 2018 report from Shred-IT found that 30% of UK companies that suffered a data breach terminated an employee’s contract for negligence.
Some examples of recent data breaches that show the far-reaching impact on an organisation and who ends up carrying the can, include:
Uber: the car hire company suffered a data breach in 2016 that affected 57 million customers. However, the head of security (Joe Sullivan) at Uber failed to disclose the breach. Instead, the security head allegedly told his staff to keep knowledge of the breach ‘tightly controlled’ and to present the incident as part of a bug bounty program. Sullivan even went as far as to pay the hackers $100,000 as part of the ‘bug bounty,’ the hackers agreeing to sign non-disclosure agreements as part of the deal.
The result of all this subterfuge has devastated both Uber and the head of security. Sullivan was recently found guilty of not disclosing the breach and faces a maximum of five years in prison for obstruction and three years for a misprision charge. As for Uber, the company was fined $148 million (£130 million) in 2018.
DWP (Department for Work and Pensions): back in 2010, 26 employees were sacked for ‘snooping on personal data.’ The data was stored in the Department for Work and Pensions (DWP) Customer Information System (CIS). The issues were blamed on a ‘lax security regime’ with poor procedures for following up on notifications and alerts.
Singhealth: a data breach at Singhealth in 2018 affected 1.5 million patients. As a result, two employees, the Citrix team lead and the security incident response manager, were found to be negligent and were consequently sacked. Also, personal fines were issued to five senior management executives, including the CEO.
How to Avoid the Personal Consequences of a Data Breach
Data is everyone’s business, and the security of data should be an intrinsic part of your security strategy. This is achievable if a business works to develop a security-first culture that permeates the entire organisation. As shown here, we all share the consequences of a data breach.
However, those consequences can be controlled by creating a culture of security where everyone in the organisation receives education on how cybercriminals operate, their part in keeping data safe, and how to spot phishing attempts.