Andy Heather, VP EMEA, Centrify
Data breaches hit businesses hard. Yahoo’s disclosure that more than three billion user accounts had been compromised in 2013-14 knocked $350 million off its valuation. Equifax, meanwhile, has estimated that it will spend $275 million in clean-up costs this year following the massive breach it suffered in 2017.
A data breach is more damaging to a company’s reputation than a product recall, environmental incident or scandal involving the CEO, according to a 2017 Ponemon survey of senior marketing and IT professionals. The research also found that 65 per cent of customers who had been affected by a breach said they lost trust in that organisation, with one in four taking their business elsewhere.
Security incidents have a significant impact on the bottom line. In addition to customer loyalty, they hit share prices: the stock value index of 113 companies examined by Ponemon declined an average of five per cent the day a breach was disclosed.
For this reason, data breaches need to be recognised, planned for and treated the same as any other corporate crisis. Cybersecurity is no longer about protecting information; it’s about protecting the entire business and its value.
Also of interest: Can we still trust the rail industry?
Get the issue on the boardroom agenda.
More than a third of senior IT and marketing professionals do not believe that brand protection is taken seriously by senior level executives. This is concerning. Safeguarding reputation requires a strategic and holistic approach to security that covers the entire organisation. This means the C-suite must be fully and actively engaged in developing and implementing a security strategy.
They must also lead the cultural change required, ensuring that every employee recognises the risks and impact of cyberattacks and data leaks, and understands their role in preventing them. This involves telling the data security story in a language and manner that everybody will align with.
Companies with a high security posture typically have a dedicated Chief Information Security Officer (CISO) who is responsible for ensuring that information is protected, as well as improving lines of communication across the business.
Knock down the silos.
There is a disconnect within most businesses around who is responsible for protecting the brand. Almost three quarters of IT practitioners do not believe brand protection has anything to do with them, despite 43 per cent admitting that a data breach would harm their company’s brand value. More than two-thirds (65 per cent) of senior marketers, however, think the IT department should take responsibility for safeguarding reputation.
Senior executives must work to close the gap between different areas of the business. They should facilitate conversations about IT security between teams, in particular prompting IT and marketing to work together to determine joint priorities and plans. Marketers have a key role to play in incident response plans, for example, by communicating effectively with customers and shareholders in the event of a breach.
Also of interest: Fixing the UK cyber skills gap
Understand what customers expect.
Consumers will vote with their feet if a business does not meet their expectations. More than three quarters of UK consumers believe companies have an obligation to take reasonable steps to secure their personal information, but only two thirds of CMOs and IT professionals agree.
This highlights a gap between customers’ expectations and the sense of responsibility companies have in meeting them. To sustain loyalty, organisations must recognise and respect the desire for better security.
They must also put in place systems that enable them to identify and respond to data breaches, as mandated by regulations such as the GDPR which requires organisations to notify EU citizens ‘without undue delay’ if their personal information has been compromised.
Assume there will be a breach.
Working on the basis of ‘when’ rather than ‘if’ enables a business to take a realistic, pragmatic approach to preventing and containing damage.
The best approach is a ‘zero trust’ model, which is founded on the assumption that absolutely everything on the enterprise’s network – be it users, endpoints and resources – must be identified and verified. This can be achieved with a handful of security technologies that many companies already use, including single sign-on (SSO), multi-factor authentication (MFA), privilege management and behaviour analytics.
Having a threat response plan ready to go is also key. This should include procedures for communicating relevant information to customers, investors and regulators.
Identify the primary threat to the business.
Without a clear and accurate picture of the specific threats the business faces, priorities will be in conflict and investment decisions will be focused on the wrong areas, exposing the business to risk.
According to a research study conducted by Dow Jones Customer Intelligence and Centrify, nearly two-thirds of CEOs believe malware is the most serious and pervasive threat to their data security. However, technical teams state that the primary threat comes from the misuse of privileged user identities and passwords. Verizon’s 2017 Data Breach Investigation Report bears this out, indicating that 81 percent of all breaches involve weak, default or stolen passwords.
Also of interest: Phishing: what's next?
Strengthen privileged user identity controls.
Implementing an identity and access management (IAM) system will prevent attackers from gaining access to the network without affecting the ability of users to carry out their jobs efficiently.
Technologies should include single-sign-on (SSO) to enterprise and cloud apps, and multi-factor authentication (MFA), which mandates a second step to confirm identity such as a text-to-mobile verification. Enforcing the principle of ‘least privilege’ will reduce the likelihood of data loss from malicious insiders, by giving users access only to the systems and data they need to carry out the task at hand. Logging and monitoring privileged sessions will support governance.
Finally, encrypting all data when it is in transit and at rest will create a strong last line of defence.
Audit your vulnerabilities.
Establish a schedule of regular assessments to identify any ‘holes’ in the company’s security infrastructure and policies so that measures can be taken to quickly address them. This process should include the evaluation of the security and privacy practices of outsourced third party vendors.
Information security, customer trust and company reputation are more tightly interlaced than they have ever been. Data breaches can inflict damage to the brand and bottom line that will continue to be felt long after any regulatory fines have been paid. By prioritising the safety of customer data, making everyone accountable for protecting it, and implementing the right technologies and practices, companies will be able to avoid or weather the storms that come their way.