Hacked: One CEO Loses Everything…for Awhile

Imagine the surprise Securitas President and CEO Alf Goransson felt this week when he learned that he’d not only been declared bankrupt by the Stockholm District Court but also de-registered as the company’s CEO and removed from external board positions by the Swedish Companies Registration Office after his identity was stolen and a fraudulent bankruptcy application was made in his name.

The eye-opening news that the CEO of Sweden’s most prominent security firm had fallen victim to identity theft from hackers—combined with the news that 6 million Verizon customers had their personal information exposed online by a vendor last month—painfully illustrates how data breaches can wreak havoc not only on businesses and their customers, but also on those in charge of managing businesses.

A Securitas statement indicated that Goransson’s personal information was stolen in late March, when a fraudulent loan application was filled out in his name. Goransson reported that incident to police in early April, then heard nothing about it until July 10, when he was declared bankrupt.

Goransson successfully appealed the ruling two days after it was issued and is in the process of having his positions officially re-registered with the Swedish Companies Registration Office. But the optics of the situation are anything but ideal for a security firm CEO.

“When A third-party vendor IS going to have access to your system, know theIR security protocols and assess their systems to ensure they’re secure and compatible with yours.”

Verizon, meanwhile, announced this week that there had been no loss or theft of information from approximately 6 million customer accounts that were made publicly available on a cloud storage platform by an employee of Verizon vendor Nice Systems in late June.

Both incidents underscore the ongoing importance of data security for CEOs—both for their companies and for themselves. Bob Shields, director of forensic investigation services at professional services firm Sikich LLP and a former FBI special agent, shared a few tips for CEOs looking to keep their company, customer and personal data safe and sound—and how to be prepared for the worst.

• Rehearse. Conduct a tabletop exercise where C-suite executives come together to walk through a scenario in which the company’s information has been compromised and to determine how they would react to that situation. “You don’t want to be left reacting to a situation once it’s happened. If you have this type of exercise, it ensures everyone will understand their role when it occurs,” Shields says. “You would really see how all of the executives and company personnel would come together to try and determine how to resolve it and come back with action items on what the company can do better. Eventually those executives will go back and run the same types of tabletops with their divisions.”

• Assess. Make sure that any outside vendors that have access to company data are up to your company’s security standards to avoid problems like the one Verizon is currently in the headlines for. “When you’re going to deal with a third-party vendor or someone who’s going to have access to your system, know the security protocols they have in place, and make sure you’ve assessed their systems to ensure they’re secure and compatible with your system,” Shields says.

• Engage. Establish a corporate culture where cybersecurity is a priority—from the C-suite down. Making sure everyone in the company is diligent about not opening any email files from untrusted sources is a critical first step in this process. “The C-suite encompasses the entire company,” Shields points out. “They’re the ones who are going to set the tone as far as making sure everyone is engaged when these situations occur.”

• Check. For CEOs concerned about their own personal information being targeted, Shields suggests keeping close tabs on personal credit reports and information to make sure their identity information hasn’t been compromised. “Checking your personal data or accounts is no different [for CEOs] than for anyone else,” Shields says.

As for Goransson, his situation had no lasting impact on either himself or Securitas (aside from the somewhat embarrassing headlines). Securitas senior vice president, corporate communications and public affairs, Gisela Lindstrand told Chief Executive that Goransson’s official status as CEO “was re-registered right after the Court of Appeals’ decision Wednesday afternoon.” Although Goransson also had been de-registered from board positions with outside companies Loomis AB and Hexpol AB as a result of the situation, those registrations also have since been restored.