Data Breach Experts to Board of Directors: Wake the Hell Up

Despite deluge of stolen PII, data breach experts see little change in corporate security behavior

The results of a Ponemon Institute survey commissioned by defense contractor Raytheon suggest that the massive attention generated by recent data breaches have failed “to move the needle” in changing behaviors and attitudes toward information security at many companies.

One of my most trusted sources of information about data breach is Larry Ponemon of the Ponemon Institute. Larry’s data is unbiased, no nonsense and reliable, even though his work is occasionally commissioned by interested parties (like Raytheon). And supported by studies from other data breach experts, we are all screaming at your organization to WAKE THE HELL UP! I rarely use statistics (and only occasional but fully-justified swearing) in my keynote presentations (because I don’t fancy sleeping audiences — or lawsuits), but today I’m going to BOMBARD you with them. Use whichever stat you think will best shock your “head-in-the-scorching-sand” executive out of the destructive malaise that might lead you into an Anthem-like, Sony-style, Target-worthy data breach:

  • Many executives still appear to view a data breach as something that only happens to others (I call this the Arrogance Effect). Further, of the respondents commenting on their senior leaders…
  • 66% DO NOT perceive cybersecurity as a strategic priority
  • 78% HAVE NOT briefed their Board of Directors on their cyber security strategy over the past 12 months
  • 53% of organizations fail to take appropriate steps to comply with leading cyber security standards
  • Only 10% make their information security department responsible for granting access rights. So who controls the other 90%?
  • Despite the risks posed by insiders, 49% have no policies for assigning privileged user access
  • 57% fail to do a background check before assigning privileged credentials

If you haven’t had enough… more from PricewaterhouseCoopers

  • The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% from 2013.
  • That’s the equivalent of 117,339 incoming attacks per day, every day.
  • The compound annual growth rate (CAGR) of detected security incidents has increased 66% year over year since 2009 (and that’s only the incidents detected and reported)
  • Crimes caused by internal actors are often more costly or damaging than compromises perpetrated by external groups. Yet many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.
  • 65% of top offenders of insider crimes are current and former employees and most of the rest are contractors & consultants

And here’s the kicker for every data breach expert…

  • As incidents are rapidly rising, security spending is falling.
  • Investments in information security budgets declined 4% over 2013.
  • Small organizations, in particular, are not spending on security: Companies with revenues less than $100 million reduced security investments by 20% over 2013.
  • Many organizations have not yet elevated information security to a Board-level discussion. Fewer than half (42%) of respondents said their board actively participates in overall security strategy.
  • Barely 25% said their boards were involved in reviewing current security and privacy risks to the their organizations.

Believe it or not, in spite of the rash of massive data breaches, very few Chief Information Security Officers (CISOs) directly report to the CEO (Just 14% in the Raytheon survey).

Before the Target data breach, they had never hired a CISO. Obviously before the breach happened it wasn’t important to them either. That was a costly oversight that they will pay for in years to come as the poster child of cyber security data breach.

John Sileo is an an award-winning author and keynote speaker on keeping your organization from becoming the next data breach headline. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.