The unrelenting cadence of data breaches that are publicly reported, and the many more that we know go unreported, can have a numbing effect on how we process these incidents.
The novelty has certainly worn off, leading to what can be a counterproductive sense of resignation that big breaches are just the new normal on the enterprise landscape. Occasionally, though, there are incidents so jarring that they can, at least momentarily, shake the public from its complacency.
Such was the case in late July, when multiple remarkable developments in close succession cut through the noise, resurfacing the urgency of driving toward a more secure and stable state. Equifax, the credit-reporting giant, reached an estimated $700 million settlement related to the 2017 data breach in which hackers swiped the personal records of more than 140 million Americans. It was the largest such settlement to date stemming from a data breach – thought it conceivably could have been even larger – and came in the aftermath of the earlier Moody’s downgrading of Equifax’s rating, the first time Moody’s cited cybersecurity in issuing a downgrade.
While that is quite the devastating 1-2 punch, the reputational damage Equifax has suffered figures to prove even more problematic in the long-run.
As if the scope of the Equifax fine was not staggering enough, another case that has long been in the news – Facebook’s misuse of user data – led to a recent $5 billion fine from the Federal Trade Commission, underscoring that data privacy missteps will be dealt with as seriously, if not more so, than conventional data breaches.
While the extent of the fallout is still unfolding for Capital One, news of a data heist involving around 100 million credit card applications from between 2005 and 2019 signaled a similar reckoning is in the offing for the large, US-based banking and credit enterprise.
Meanwhile, another attention-grabbing story unfolded in Eastern Europe, this one from the public sector, as personal records related to more than five million Bulgarians were hacked via the country’s tax revenue office. Consider the population of Bulgaria is only around seven million people, and the scope of the breach becomes all the more staggering.
While this attack is understandably causing consternation locally and raising eyebrows abroad, Bulgaria is by no means the only country or government agency to fall victim to a high-profile breach. In the US, for example, the Office of Personnel Management had more than 20 million records swiped in a 2015 breach.
Any enterprise that collects and manages personal data has a deep responsibility to safeguard the data, including, and perhaps especially, governments and other public sector entities. As Guy Bunker, chief technology officer at Clearswift, told CNN, “Your date of birth is not going to change, you're not going to move house tomorrow. A lot of the information that was taken was valid yesterday, is valid today, and will probably be valid for a large number of people in five, 10, 20 years’ time.”
Unfortunately, governments are often among the main culprits when it comes to insufficient data protection, underscoring the need to have appropriate oversight bodies capable of holding them accountable.
In each of these high-profile cases, there’s a knee-jerk instinct to assign blame. While there is an aspect of needing to hold people accountable in certain instances, it is even more important that boards and enterprise leaders take a step back and evaluate their organization’s level of cyber-maturity.
One of the best places to start is to determine what data their enterprises have and where it is stored, as well as where the backups are stored. Doing a data inventory – including appropriately classifying and categorizing the data – is an important step toward developing tighter data governance and data protection.
That is just one piece of the puzzle: it is incumbent upon enterprises to clearly understand where they are relative to their desired cyber maturity level. Organizations need to arrive at a clear assessment of where they stand, what their gaps are and how to put in place a roadmap for targeted improvement.
In particular, enterprises that possess sensitive information about individuals (such as Equifax and governmental agencies) must step become equipped to quickly identify and close gaps in their cyber-maturity. Otherwise, enterprises run the risk not only of absorbing massive financial penalties that comes with breaches, but face the daunting and long-term challenge of rebuilding their reputations with customers – reputations that can take years to build but only moments to destroy.
Part of cyber-maturity involves having a great incident response plan that goes beyond laying blame, a missing ingredient that contributed to the scope of Equifax’s problems.
A recent EY study of global CEOs found cybersecurity to be the number one threat to the world economy. That might be in recognition of the reality that, while we’ve been tracking data breaches for more than two decades, we remain at the tip of the iceberg in terms of the scope of the breaches we’re going to see as well as the fines we will see levied.
Cyber-criminals are becoming increasingly sophisticated and leveraging more potent technologies, including using Artificial Intelligence to tailor phishing attacks, to further their schemes. There will be more costly incidents like those damaging Equifax, Capital One and Facebook in the private sector and more scenarios like what transpired in Bulgaria that wreak havoc on the public sector.
The only path to stemming the tide is enterprise leaders springing to action in recognition that building cyber maturity is a foundational component of their ability to conduct business and protect stakeholders from an increasingly perilous threat landscape.