The major data breaches of the past year have hit businesses hard. Equifax saw its share price drop by 13 per cent within a day of revealing its breach, and estimates it will end up spending $275 million in clean-up costs this year. Yahoo suffered a $350 million drop in its sale price to Verizon after reporting that data breaches had affected one billion accounts – a number which was later revised to all three billion.
The impact these incidents have had on the bottom line should be enough to grab the attention of executives and directors in every industry, and motivate them to rethink their security strategy. However, more than a third of senior IT and marketing professionals believe that brand protection is still not taken seriously by senior level executives, according to a 2017 Ponemon survey.
Equifax and Yahoo are not alone. In the same study, Ponemon examined 113 publicly traded companies, and found that they lost an average share value of five per cent on the day that a data breach was disclosed.
The security posture adopted by the breached organisation had a direct effect on how quickly its share price recovered. Companies with a high security posture which enabled them to respond quickly to the breach event rebounded after an average of just seven days. Those with a low security posture, and which did not respond quickly, experienced a stock price decline lasting on average more than 90 days.
The lessons are clear for the C-suite: cybersecurity must be a leadership priority, because data breaches have a direct impact on an organisation's financial wellbeing. IT professionals can help business decision makers to understand the dimension of the cybersecurity challenge, and how to formulate appropriate solutions, by asking six straightforward questions.
Question 1: What is the corporate impact of a data breach?
As well as having a negative impact on the value of public companies, disclosed data breaches scare off customers. In a recent survey by Centrify, 32 per cent of respondents revealed they had stopped using Equifax, Uber or Yahoo after they learned of their breaches.
As well as being bad for investors, data breaches are clearly bad for business.
Question 2: Who is responsible for preventing data breaches?
If the answer is “our IT department”, then you ought to feel nervous. Companies with a high security posture typically have a dedicated Chief Information Security Officer (CISO) as the senior-level executive responsible for ensuring that information assets and technologies are protected.
Question 3: What is the biggest threat to data security?
Almost two thirds of CEOs believe malware is the most serious and pervasive threat facing their organisations, according to research conducted by Dow Jones Customer Intelligence and Centrify. However, technology officers like CISOs, CIOs and CTOs say that the primary threat comes from the misuse of privileged user identities and passwords.
If decision makers don’t have an accurate picture of the risks faced by the business, they will set the wrong priorities and invest in addressing the wrong areas, making the organisation vulnerable to attack.
Question 4: Are users’ passwords strong enough?
The answer to this question is always “no”. Passwords on their own, no matter how clever or how frequently changed, are never strong enough to deter a determined hacker – or a disgruntled employee.
Eighty-four per cent of respondents polled in Centrify’s survey went so far as to say that the time has come to no longer trust the password as a reliable credential.
Multi-factor authentication (MFA) – which mandates a second step to confirm a user’s identity, such as a text-to-mobile verification code – provides much more robust protection for data and deters intruders.
Question 5: What happens when your IT security is breached?
Working on the assumption of ‘when’, rather than ‘if’, provides a much more realistic and practical position towards today’s threat environment. A strategy to contain the damage will pay for itself many times over.
Organisations can reduce their attack surface by tightly managing lateral access through privileged access management – ensuring that users have access only to the privileges, systems and data they require to do their jobs.
The best overall approach to take is one of ‘zero trust’; assuming that untrusted actors already exist both inside and outside the network, and therefore trust must be removed completely. That means absolutely everything on the enterprise’s network – users, endpoints and resources – must be identified and verified.
Question 6: What happens to security credentials when someone leaves the company?
Organisations require a centrally managed console from which security staff can push apps to each new employee based on their role, monitor access to the app, provide single sign-on to multiple applications and manage the devices used to access those systems.
This means they can revoke all access as soon as an employee leaves. Not only does this functionality make the onboarding process more efficient – it also makes staff departures much more secure.
Asking the C-suite these six questions is a good way to ensure that they are aware of the need to prepare the organisation for the worst, by making a proactive investment in cybersecurity. A strong zero trust security posture is the best way to build resilience to the devastation a data breach can cause to the business.
Barry Scott, CTO EMEA, Centrify
Image Credit: ESB Professional / Shutterstock