Perhaps the biggest difference from a year ago is the sheer number of attacks. While only an occasional news item pre-Target, hackers are getting smarter and data breaches are happening every couple of months. Organizations falling victim in 2014 have included Home Depot, Kmart, Dairy Queen, JPMorgan, Supervalu, Goodwill, Neiman Marcus and, most recently, Staples.
The risk is much higher now, and with the ultimate responsibility for the brand, the reputation and the bottom line, there’s no doubt that the responsibility for ensuring their companies can prevent a breach rests firmly in the CEO corner.
HOW TO IMPROVE DATA SECURITY GOING FORWARD
The ideal breach situation is to have no breach at all. CEOs should look closely at their IT budget and ensure that security technology is regularly updated. When looking for places to trim the budget, data security is one area that not only should be left alone, but for many, should be increased, for the cost of a technology upgrade is much less expensive than the cost of a breach.
Rebecca Scorzato, director of crisis and security consulting, recommends that, to help prevent a breach, CEOs should lead strategic exercises to test every possible way that a cyberhacker could get into their company’s system and then work to prevent that opportunity. Having been thoroughly practiced, such a plan can be kicked into motion quickly should companies become the victim of a cyber breach.
These exercises should include “all necessary internal and external resources,” Scorzato told Security Week, such as IT, finance, HR, customer service and facilities. It’s important for the CEO to hear from each department what is needed to both prevent and fully recover from a breach. “It’s a mistake to treat this is as an IT-readiness exercise,” Scorzato says. Rather, “it’s an organization-readiness exercise.”
CEOs should also work with their IT department to develop a measurement system and dashboard metrics that CEOs can check easily and frequently to stay on top of data safety. Boards are increasingly asking questions about data security, and CEOs should be prepared to answer them.
TO TELL OR NOT TO TELL
With the proliferation of data breaches and the variety of their seriousness, some CEOs also are pondering the question of whether to disclose such incidents to the public. Public companies “are required to report breaches likely to affect investor decisions,” according to The Wall Street Journal. Other than what is deemed legally necessary, CEOs are “questioning the prevailing view that companies should always notify customers, vendors and authorities after a breach.”
The reason: going public could expose weaknesses that others could exploit. And banks usually reimburse customers for fraudulent credit-card charges whether the hacked company goes public or not. But what about the hit to a brand’s reputation over lack of transparency should they not report such a cyber breach? Sometimes customers can speak louder with their wallets than anyone else.
Also, in today’s market, consumers may be more accepting of the risk. “Consumers might not love having their data breached, but they may be getting used to it,” reported Marketing Daily. While Target has been hit hard by the aftershocks of its breach, the impact on the perception of Home Depot and JPMorgan Chase brands was successively less after they reported their own cyberattacks, according to the YouGov Brandindex.
“Consumers have concluded that companies, even if they are diligent, cannot guarantee security,” YouGov Brandindex CEO Ted Marzilli said. “So until one of these data breaches is accompanied by large-scale theft or some other shock to the system, the impact on brand image of a single event is likely to be modest.”
That is not an excuse to ignore the perils, however and CEOs, as part of their leadership responsibilities, should ensure their IT department has the tools and the knowledge needed to do all they can to deflect hackers. No CEO wants to be the feature of the next cyber breach story.