Cyber security professionals blame CEOs for data breaches

The past year has seen attacks like Wannacry and Petya cause worldwide disruption, with countless data breaches harming many household names.

The damage to reputation, and increased public scrutiny, caused by a data breach, coupled with the fact that a global cyber attack could cost on average $53 billion, could severely cripple a business to the brink of bankruptcy.

>See also: Pointing the finger: consumers blame businesses for data breaches

So, if a data breach occurs, who is to blame? Tripwire, a provider of security and compliance solutions for enterprises and industrial organisations, conducted a survey at Infosecurity Europe 2017 to ask security professionals whose neck is most on the line if a company has a data breach.

Of the respondents, 40% believed the CEO’s were the first to be in the firing line if a company was compromised by a data breach, followed by CISO (21%), “other” (15%) and CIO (14%).

Based on these results, CEO’s must be aware of the basic principles of security. We have already seen CEO’s accept responsibility for data breaches. Marissa Mayer, CEO of Yahoo, forfeited her cash bonus following a breach under her tenure.

However, the responsibility of understanding and implementing security should not solely fall on the CEO’s shoulders. Foundational security controls should be demonstrated from the board level all the way down to the workforce.

>See also: The inevitability of the data breach: who is to blame?

Tim Erlin, VP at Tripwire said, “Accountability starts with the CEO, but information security is a shared responsibility across every function and level of an organization. Data breaches are a problem that the board-level executives need to be responsible for addressing, which means that the CISO must be involved in those board-level discussions. The board can’t take meaningful, productive risk management action without that expertise in the room.”

“Nevertheless, even the most diligent organisations are still susceptible to attack, and to human error. Businesses need to implement and maintain a core set of foundational security controls, which is a proven strategy for reducing the risk of cyber attacks. The focus should be on a balance of tools and outcomes, and especially a balance between prevention and detection.”

In addition to finding out whose neck was on the line from a data breach, Tripwire also uncovered which department security professionals felt struggled most with cyber security. Nearly a third (29%) thought the Operations department struggled with dealing cyber attacks. Departments chosen by security professionals included Finance (14%), Sales (13%), HR (11%) and Marketing (10%) found it difficult when handling cyber attacks.

>See also: A data security check a day can keep the hackers at bay

Erlin added, “Companies must recognise the need for a cross-functional incident response plan. The worst time to plan for a cyber attack is after the incident has occurred, but this is what happens far too often. Security hygiene goes a long way toward making the attackers job’s difficult, as well as creating confidence in your company’s overall security, but incidents still occur and creating awareness of the incident response plan ahead of time will prevent panic, especially from the groups that don’t worry about these attacks on a daily basis.”

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...