Instead of discussing the technical aspects of attacks and compromised accounts as we did in the last several articles, we are going to get a little more personal. Today we will discuss some well-publicized breaches and the consequences experienced by those persons held responsible. We don’t want to be all doom and gloom. At the end of the article, we offer some positive suggestions for pro-active measures you can take to anticipate the inevitable and prevent personal disaster.
Responsibility: Whose Head Shall Roll?
If your title is Chief Executive Officer, Chief Technology Officer, Chief Information Officer, Chief Internet Security Officer – the ultimate responsibility is yours. As you well know, or should, you do not have to be negligent, or commit an act of poor judgment to be held responsible. When a breach is expensive in terms of lost revenue, when it has damaged the company’s reputation, when bad news seems never to end – someone is going to take the blame. It won’t make any difference if you are just the sacrificial goat, your career is just as dead.
Aside from the drama; the truth is, the breach should not have happened. It was not just bad luck. Something allowed it to happen. Before it happens in your company and you become the next unemployed “Chief”; right now is the right time to find out what your security practices may be “allowing.”
The following stories, some of which you have surely heard of, are intended to trigger your sense of self-preservation.
The OPM (Office of Personnel Management) Breach
The OPM breach has the potential to cause to most damage to the public than any other breach in history. The attackers collected security clearance information. Anyone who had applied for a national security clearance, from a “Secret” level all the way to the highest levels protecting the United States’ national security has been compromised. Personal information contained in a security clearance file includes the Social Security numbers for you and your spouse, current & past addresses, dates and places of birth, and 5.6 million sets of fingerprints. To state the obvious – you cannot change your fingerprints.
In June 2015, OPM announced that it had been the target of a data breach targeting the records of as many as four million people. The data breach, which had started in March 2014, and may have started earlier, was noticed by OPM in April 2015. On July 9, 2015, the estimated number of stolen records had increased to 21.5 million. U.S. Department of Homeland Security official Andy Ozment testified that the attackers gained valid user credentials, likely through social engineering. The breach also consisted of a malware package which installed itself within OPM’s network and established a backdoor. Katherine Archuleta, the director of OPM, a position obtained through presidential appointment, resigned under pressure.
Similarly, the Target CEO and CIO resigned after the Target breach in 2014.
Military Secrets – No Secret Anymore
A NSA briefing slide labeled “Top Secret” and headlined “Chinese Ex-filtrate Sensitive Military Data,” states that the Chinese have stolen a massive amount of data from U.S. government and private contractors.
The Chinese used Facebook as a command and control point for planting malware. One NSA slide showed that victims who unwittingly accessed a Facebook page through an email would end up with their computers under the remote control of the Chinese.
One can only imagine the impact this event had on people’s careers. We can guess that the CISO’s career spiraled downward, as if it was shot out of the air!
How Data Breaches Can Affect Brand and Reputation
According to an article on Vitrium.com about how data breaches can affect brand and reputation, “… while not all data breaches are equal, most organizations do agree that their reputation is one of their most important and valuable assets. A breach can make an organization appear as if they do not take security seriously. Data protection and security are critical elements in protecting your brand’s reputation and maintaining customer loyalty.” A recent Forbes Insights report, Fallout: The Reputational Impact of IT Risk, highlighted how an IT security breach can have serious implications for a company is perceived.
According to the report:
- 46% of organizations suffered damage to their reputations and brand value as a result of a cyber-security breach
- 19% of organizations suffered damage to their reputations and brand value as a result of a third-party security breach or IT system failure
Jane Frankland, managing director of consultancy KnewSmart, said that such figures highlighted the importance of brand and corporate reputation “and the damage a breach can do if it’s not dealt with properly.” “What C-levels want from a CISO is a risk metric and a value in terms of cost. They want to understand exactly what their liability will be if such an event were to take place. CISOs need to be able to give C-level execs a definitive answer on this, yet often it’s hard as asset registers are missing, digital footprints are unknown, risk models are complex and claim forms are dubious.”
CISO’s that fail to adequately prepare their CEO’s suffer serious career damage when the inevitable attack happens.
Lawsuits and Other “Fine” Things
Experian faces class action lawsuit from T-Mobile customers affected by data breach.
(Noor Zainab Hussain for Reuters) – Credit data company Experian Plc said it had received a number of class actions related to the theft of T-Mobile US Inc. customer data at its server and was working with U.S. and other law enforcement agencies to investigate the matter.
Experian reported a fall in first-half pretax profit to $458 million from $534 million a year earlier. Revenue fell to $2.24 billion from $2.39 billion.
Fandango and Credit Karma settled a Federal Trade Commission (FTC) lawsuit stemming from application security flaws that resulted the companies not protecting their customer’s data.
According to the Federal Trade Commission, the companies failed to take “reasonable steps” to secure their mobile apps, leaving them vulnerable to so-called “man-in-the-middle” intrusions. The agency charged that the companies had somehow disabled SSL certificate validation, an industry standard that would have verified that the apps’ communications were secure. The companies could have caught and prevented the vulnerabilities with basic security tests.
Neither article reported what may have happened to the careers of the individuals held responsible for such lax security.
Pro-Active Suggestions – Anticipate, Prepare, Prevent
For some help rethinking your strategy, here are a few activities to consider, courtesy of Liz Zarins, assistant account executive at 5W Public Relations and a contributor to PR News’ Book of Crisis Management Strategies Vol. 8.
- Review the organization’s cyber security effort. Perform routine security assessments, update software regularly and enforce strict online regulations for all company associates.
- Increase internal training. Educate employees on phishing scams and other mistakes that can lead to a breach, increase your IT department’s security training by offering online tutorials and other free resources and practice response methods through security breach drills.
- Place more value on internal communication. Frequent communication between PR and IR minimizes the opportunity for something to go unnoticed.
- Reassess your crisis plan. Plan to reevaluate your organization’s crisis plan to respond to a security breach every six months to a year. Take time to add security capabilities and communication tactics, remove outdated protection systems and incorporate lessons learned from other organization’s breaches.
VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.