No one knows what the future holds, but it’s a pretty safe bet to say 2014 will become known as the “Year of the Data Breach.” Yet amid the finger pointing, the executive culls and inevitable media coverage, there’s another interesting trend: several of the firms compromised by hackers didn’t have a functioning chief information security officer (CISO) at the time.
It’s no guarantee you won’t become the next breach headline in 2015, but having a full-time cybersecurity specialist role reporting directly in to the board has become essential for any major organization which takes security seriously. For companies still lacking this position, it’s time to act now before 2015 turns into a year to forget.
The reality today is that we’re no longer facing a ragtag bunch of bedroom-bound hobbyists – cybercrime is organized, well resourced, and agile. The black hats know where our weakest points are and are more than ready and able to exploit any security gaps to steal our most sensitive data – whether it’s personally identifiable customer information or sensitive IP.
Many of the most successful breaches of the past year used relatively sophisticated targeted attack techniques to infect retailers’ POS systems with new “RAM scraper” malware variants like Soraya and Backoff. Frustratingly, many of these breaches were preventable.
Given the huge losses involved, organizations should be more focused on minimizing risk – with operations overseen by a dedicated CISO.
The most recent figures from the Ponemon Institute put the average cost of a data breach at $3.5m in 2014, 15% higher than the previous year. It’s not just the cost of potential industry or regulator fines, legal action, or even the expense of investigating and remediating the issue which firms must contend with. More worrying is the potential for negative headlines to force customers to switch to rival providers, and for this reputation hit to impact the share price.
Enter the CISO
In its report, Ponemon noted that having a CISO in charge is a vital preventative measure, alongside things like incident response and crisis management plans. CISOs can help identify where information security risk exists and articulate it to the board in terms they understand, so key investments are not left wanting.
The lack of a CISO at retailer Target until recently led to just such a problem, it has been suggested. That breach in 2013 is thought to have been one of the biggest ever in the sector, with over 40m card numbers and 70m customer records apparently exposed. The firm has appointed a CISO now, but at what cost?
Here are some other major organizations which had no CISO when they were breached:
- Surprisingly, JPMorgan Chase lacked a full-time CISO when hackers managed to access its systems, potentially exposing sensitive information from more than 76 million households and seven million small businesses.
- Sony only hired its first CISO in 2011 after a devastating attack which breached sensitive personal information on over 70 million PlayStation Network accounts. A more recent attack on it by the “Guardians of Peace” occurred during a changeover of CISOs, it has been reported.
- Heartland Payment Systems’ 2009 breach affected an estimated 100 million cards. Again, no CISO was in charge at the time.
- TJX, the largest breach of its kind at the time in 2007, compromised an estimated 94 million cards.