With Great Power Comes Great Responsibility: Learning from a major data breach

Published 18 - January - 2019

Are the recent data breaches finally a catalyst for change in how cyber risk is managed?

There was a great deal of discussion, towards the end of 2018, regarding the data breaches that made the news. It seemed no industry was immune with retail, airline, healthcare, telecommunications, entertainment and internet giants among the offenders. As we entered the final month of 2018, attention switched to the Marriott Starwood data breach, which affected half a billion customers.

The month of December 2018 also saw the U.S. House of Representatives – Committee on Oversight and Government Reform publish a comprehensive report regarding the Equifax Data Breach, which occurred back in 2017.

While much of the detail surrounding the Equifax data breach remains confidential, the report (together with other publicly available material) provides stark insight into the circumstances surrounding the breach. In particular, the findings highlight the series of events that allowed such a major breach to remain undetected for so long, and which shaped the corporate fallout over subsequent months.

While Equifax continues to receive significant scrutiny over its handling of the data breach, the important question is whether business leaders and the cyber security community can learn from this major cyber event, which affected approximately 145 million individuals. Is this a turning point for all organisations, particularly those who hold high volumes of personally sensitive information?

With the many security failures acknowledged and understood, it is now essential for CEOs and other business leaders to establish a plan of action to manage cyber risk more effectively. Here are 10 considerations for CEOs and executive management to incorporate into their cyber risk management plans and help avoid a major data breach.

  1. Acknowledge that with great power comes great responsibility. Lead by example and drive the security behaviours and culture expected throughout the organisation.
  2. Promote a strong culture of communication and collaboration between operational, technology and security teams, regardless of reporting lines.
  3. Initiate and support a comprehensive review of business operations across the organisation, taking into account information used, supporting technology and the people involved.
  4. Pay attention to legacy, proprietary and external systems that may be contributing to an unnecessary and unacceptable level of risk.
  5. Assign ownership and responsibility for the ongoing management and protection of information and technology throughout the organisation.
  6. If leveraging emerging technologies, such as artificial intelligence, machine learning, neural networks-based and deep learning, don’t lose sight of basic protection requirements for mainstream technology used across the organisation.
  7. Apply a proven risk assessment methodology to manage cyber risk, which takes into account different factors, such as active business projects, application development activities, technology infrastructure and data centre operations.
  8. Demand assurance that widely-accepted fundamental security arrangements (e.g. system configuration, access control, patch management, event logging and backup) are in place and operating as expected.
  9. Use post-breach reports, such as the one published by the House of Representatives, to inform cyber security exercises, which can help test an organisation’s cyber resilience and determine the organisation’s readiness for malicious attacks.
  10. Ensure communications to shareholders, customers, investors, consumers, business partners and regulators reflect the nature of risk to the organisation and the reality of protection being provided to manage those risks.

The Information Security Forum performs extensive research covering information risk and cyber security, which is complemented with a comprehensive suite of risk management tools and authoritative publications. Organisations can manage cyber risk effectively by using many of the ISF’s tools, publications and services.

For the full library of research and tools, click here. In addition, a full library of podcasts on the latest hot topics can be found at Digital Media Centre.