It’s official—2017 was a record year for massive data breaches. First and foremost, there was the Equifax disaster, which exposed the hyper-private data of millions of customers to cybercriminals. And then there was the Republic National Committee breach, which leaked the personal information of over 200 million American voters. And don’t forget the Uber scandal, which forced company executives to pay hackers $100,000 after uncovering the data of over 200 million ride-sharing customers was being held for ransom.
In fact, the deeper we look into the state of data security at large corporations, the more we begin to realize it is crumbling. Breaches at SVR Tracking, Kaspersky Lab, the CIA, and Whole Foods are just some of the big fish that come to mind. And the impact these breaches have had on corporate executives in no laughing matter, especially in the way it has forced them to stop blaming IT departments and assume some of the responsibility themselves.
Government Regulation On Corporate Responsibility
As a result, the government has started taking corporate organizations to task regarding their cyber-preparedness through new regulations.The City of New York, for example, is now actively requiring upper management of various firms in their city to sign a certification that their organizations are in compliance with the New York Department of Financial Services Cyber Security Regulation.
These regulations affirm the responsibility of cyber security to the leaders of these firms. If a breach happens and the government finds that management of that company had been lax towards their cyber-security, then they will be at fault for violating a false claims liability act. Leadership should not just worry about day-to-day corporate concerns but take their cyber security obligations seriously.
Damage Control in Times of Data Breaches
Upper-level executives shouldn’t just work on cyber-preparedness – they need to be equipped to handle the aftermath of a breach. This has become painfully clear in the Equifax breach. Equifax executives failed to handle the disaster properly. They waited two weeks before notifying stakeholders that a breach has occurred. Two weeks is an eternity in matters of information security especially when millions of sensitive data like social security numbers are involved. Some of the executives at Equifax also sold some stock before informing the public of the breach.
When it comes to cybersecurity, the organization needs to create a body tasked to respond to a breach. They need to create a response plan that tailors to specific points in time like when an attack is happening, several hours after the attack, 24 hours and 72 hours after the attack. This body also needs to plan how they will communicate the breach to their stakeholders and the authorities. Aside from that, they will need to coordinate with a third party security company to investigate what happened and to make sure that a breach never happens again.
Cyber-Preparedness: What Company Executives Can Do
Aside from creating a threat-response plan and protocols to handle breaches at every stage of the crisis, executives need to develop their own cyber security practices and habits. They should educate every employee in every level of their organization about what cyber security is and why it is important.
They need to be aware of the many kinds of scams out there in order to prepare for them. For example, there’s a new scam out there called spear phishing. In spear phishing, a hacker or cyber criminal poses as the top executive of a company and asks the CFO or other leaders to wire them money at a specific account. Although this appears to be a simple scam, there are records of executives who fell to this kind of trickery.
In response to these problems, simple protocols like two-factor authentication or phone verifications can help in exposing these ploys. Executives can definitely stop identity theft and spear phishing by calling their fellow executives to confirm actions when they are in doubt.
The best response an executive can make against these looming threats is to educate himself or herself on cyber security and learn to practice care in terms of their information and their company’s data. An executive’s involvement and investment, not delegation to their I.T. techs, on cyber security matters will help their organization to proactively prepare for, defeat cyber security threats and repair their company’s reputation in the aftermath of one.