Off With Their Heads! Execs get the ax for data breaches



Target_Hacked-resized-600Until last year, executives were able to pass the buck to IT in case a data breach hit the organization. However, several recent high-profile resignations are now putting the focus on board members. Here are a few examples:

US Office of Personnel Management head Katherine Archuleta was forced to resign over a massive hack that exfiltrated well over 20 million highly confidential personal records of government employees. Thomas Meston, CFO of the London-based hedge fund Fortelus, also lost his job following a cyber hack that emptied $1.2 million from the fund’s bank account.

And those are just the two latest victims. The trend began for real last year when Target's CEO stepped down in the wake of a disastrous data breach that compromised 40 million shoppers’ credit cards and 70 million customers’ personal data. Steinhafel had little choice but to resign as the CEO of the 40 billion company. Sony Pictures America co-chairman Amy Pascal stepped down in February after last year’s devastating breach at Sony Corp’s Hollywood studio. 

The important thing for board members to realize is that they can do little to mitigate the damage after the data has been exfiltrated. Once the data breach has happened, they will find themselves held responsible for, and accused of prior negligence. At that point it's up to the CEO and the board to defend themselves against these claims and that all appropriate measures had been taken to protect the organization’s data.

Up to a few years ago, it sounded reasonable a boards to delegate the defense against hackers to the IT department. They relied to a large degree on traditional firewalls and antivirus. However, the last few years antivirus (AV) has shown to fall behind badly. With hundreds of thousands of new malware flavors being released in the wild every day, bad guys are overwhelming AV and often get through. Today, it is seen as the task of the Board to prioritize and make IT security budget budgets available so that defense-in-depth can be done the right way.
In order to protect not only their own careers but also the future of the organizations they lead, senior executives must now understand that the buck stops at board level and securing their data, almost always their organization’s most valuable asset, is paramount.

Thomas Meston, hedge fund Fortelus' CFO was forced to resign after falling victim to a social engineering attack over the phone. The attack however, had all the hallmarks of a professional job. It was clear the hacker had done their homework and researched Meston in great detail, a technique also used in spear phishing” attacks, which are sometimes followed up with very real-sounding phone calls.

Meston fell for the hacker's scam, but whatever the form of the attack, it is clear that today the cyber security buck stops at the board level. To prevent "human hacks" (which are the weak link of IT security), stepping all employees through effective security awareness training is a very cost-effective way to prevent a large part of data breaches. Find out how affordable this is for your organization and be pleasantly surprised.

UPDATE August 28, 2015: Noel Biderman, the CEO of infidelity website Ashley Madison's parent company Avid Life Media has left, just over a week after hackers leaked data about millions of its clients in a massive cyber assault.



Get A Quote Now



Hat Tip to ItProPortal 




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews