Until very recently, senior executives have been happy to pass the buck for cyber breaches to the IT department or claim that a significant cyber breach had been unforeseeable. But a series of high-profile resignations are now shining the spotlight squarely on senior board members.
US Office of Personnel Management head Katherine Archuleta has been forced to resign following a hack that compromised over 20 million personal records of government employees. Thomas Meston, the Chief Financial Officer of the London-based hedge fund Fortelus, also lost his job this month following a cyber hack that immediately emptied $1.2million from the fund’s bank account.
These are merely the two latest resignations in a trend that began in earnest last year when the chief executive of giant US retailer Target, Gregg Steinhafel, was forced to resign in the wake of a disastrous data breach that compromised 40 million shoppers’ credit cards and 70 million customers’ personal data including addresses. Given a breach of this magnitude, Steinhafel had little alternative but to resign from his position as the head of the $40 billion corporation.
The important thing for executives to realise regarding the growing number of executives losing their jobs in the wake of cyber breaches is that there is little any of them could have done after the event to limit the damage. Once a breach has occurred, the board will increasingly find itself accused of prior negligence. It is then up to the chief executive and his board to counter any negligence claims by proving that all reasonable steps had been taken to safeguard the organisation’s database.
When the digital age was young, it appeared reasonable for boards to delegate the safeguarding of the corporate database to the IT department, who would install the appropriate anti-virus software. But with hundreds of thousands of new variations of malware now being developed each and every day of the year, traditional safeguards are no longer adequate. Board members are now expected to create new budgets and ensure properly constructed cyber defences are in place.
The underlying reason for the growing focus on cyber security is the increasing value of corporate databases. The more business that is conducted online, the more valuable the database becomes. In the case of a growing number of corporations, the company’s database is more valuable than its cash holdings.
This is something that not gone unnoticed by international organised criminal gangs (OCGs), who are rapidly shifting their focus from financial fraud to data theft. Stolen data can be laundered more easily than stolen cash by disguising it as legitimate market research. Sometimes, the doctored data is presented to a rival organisation as legitimate; in others, it is simply put up for sale to the highest bidder. This is generally done via the Dark Web, using encrypted websites where anything can bought and sold. While corporate data is less likely to attract the attention of the authorities than, for example, arms or illegal drug trading, the damage inflicted on the compromised corporation can be severe.
In order to protect not only their own careers but also the future of the organisations they lead, senior executives must now understand that the buck stops at board level and securing their database - frequently their organisation’s most valuable asset.
Given the current global cyber crime wave, companies should not just take steps to prevent future breaches in their IT security but also determine what damage may already have been done. It is a truism in the security industry that there are only two types of organisation, those which know they have been hacked and those who have also been hacked but just do not know it yet. Only by hiring a third party with embedded sources deep in the Dark Web can an organisation discover the extent to which its database may already have been compromised.
Another mistake many chief executives make is to wrongly imagine that effective safeguarding of the corporate database only relates to cyber security. No matter how effective a firewall a company builds around itself, it must also take full account of the human element. As 80 per cent of cyber breaches can be traced to an internal source, it is crucial that organisations take the time to train their staff properly.
Thomas Meston, the Chief Financial Officer of the hedge fund Fortelus, for example, was forced to resign following a security breach that was executed over an old-fashioned telephone line rather than via a computer link. Nevertheless, the attack had all the hallmarks of a professional hack, bearing evidence of social engineering - one of the newest weapons in the cyber hacker's arsenal. It is, for example, revealing that the call ended just after 6:00pm on Friday evening. Choosing a time when their targets are likely to be tired and anxious to leave the office works in the hacker's favour.
Nor do we yet know if the hacker had, as is likely, done their homework and discovered details about Weston and his company or bank which would have helped validate the call in the CFO's mind. The same technique is used in so-called "spear phishing" attacks using bogus emails, which are also sometimes followed up with plausible bogus phone calls.
But whatever form of attack may occur, from now on the cyber security buck stops only at board level.
Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.