State of the Union: businesses must apologize – fast!
Jan 19, 2015
Executive General Manager – leading growth in international B2B services & technology
Tuesday’s State of the Union will push for new regulations on all businesses with customers or staff in America.
Obama will demand that every company owns up promptly after a significant data breach.
Surely that is reasonable? Surely we owe consumers a swift notification and apology if we fail to protect the data they entrust to us. But what if recent data breaches are just a taste of what’s to come?
Consider: 96% of businesses were successfully hacked during a 6 monthsurvey of over 1200 organisations. But as documented in this report by Experian, less than half of typical organisations were even aware of a data security incident last year. Of the breaches they become aware of, companies identify less than a third themselves: customers, suppliers or the media tell companies they have been breached! Most breaches take over 3 months to identify. Then it takes the average business 31 days plus $639k to contain a successful breach, according toPonemon.
Sony is a good example of how companies don’t realize they’ve been hacked.Sony learnt it was breached, on Monday 24th November, when the hackers postedthis message on every employee’s computer.
Sony could not keep that breach secret, as it had done when Sony was breached in Brazil and Germany just months before. “After some discussion about the fact that Brazil didn’t have a breach notification law, Sony decided not to notify individuals or go public about that attack.”
Sony’s breach was big news for several weeks, but the breach itself didn’t put a huge number of individuals at risk. Click the graphic to see recent breaches that exposed larger volumes of sensitive personal data.
There will be bigger breaches than Sony’s in 2015, so governments will need to “do something.” Politicians are already tempted to dump blame for cyber threats onto business. For example, Prime Minister Cameron was ridiculed last week forcrazy plans to stop companies using encryption. At the same time, some regulators are using apocalyptic language to describe the need for companies to protect themselves from hackers. Politicians will be tying themselves in knots, trying to square a circle in cyberspace: they must tell companies to guard consumer data, but want backdoors kept open for their security services.
So, expect further regulations around the world. For example, the European Union is close to adopting rules to give sharper teeth to Regulators in all 28 EU countries. The draft EU Data Protection Regulation:
- Requires companies to notify individuals of a significant breach(amazingly, most European companies aren’t required to do that under existing legislation). So your clients, staff, competitors and the media can’t be kept ignorant of future data breaches.
- Penalises at up to 5% of global revenue, for failure to mitigate the risk of a breach and to minimise the harm then caused. (By comparison, UK legislation allows a maximum fine of £500,000. Only 3 organisations have been fined £200k or more in the last 2 years: Sony, NHS Surrey, and a charity, BPAS.)
And expect that more executives will be fired for failing to prevent and mitigate the impact of a data breach. Have a look at this list of 9 data breaches that cost someone their job.
To demand that your IT Director guarantees you won’t be breached is a natural reaction. It is also unreasonable. For example, the organisation that runs the Internet, ICANN, is famous among geeks for the emphasis it puts on security.ICANN actually distributes keys to the Internet to 7 individualsaround the world. But evenICANN was hacked in December 2014.
So, what should chief executives do? They can’t stop keeping sensitive data: it’s the fuel, compass and cargo of many modern businesses. They need to “Plan for the best, prepare for the worst.” To elaborate:
- Plan for the best: make prudent investments to minimise the risk that you will suffer a serious breach. Small & medium sized companies can start with the “Cyber Essentials“. Larger companies should be working to comply with standards like the ISO 27000 series.
- Prepare for the worst: you can start by simply asking your Executive team,“What would we do in the first hours after a significant data breach?” Real preparation will then involve buying the Cyber Insurance that the UK Government is pushing for, and identifying the companies you’ll then pay to help you respond. The CREST-approved companies are a good place to start.
19th January 2015