We see more and more breaches being reported in the media – not only here at Naked Security, but also in the mainstream press.
That’s not a bad thing – the increased awareness of breaches among the general public may just focus people’s minds on why it is so important to be aware of the level of information they are sharing with companies, and the way in which that data is secured.
Now, as reported this week by IT Pro Portal, the number of executives falling on their swords in the wake of a breach is up.
While I suspect there may have been many post-breach executive casualties, two high-profile examples are given.
The first – Gregg Steinhafel, CEO of Target – felt compelled to walk six months after we learned how the retailer had 110 million records stolen by hackers in December 2013.
And the second – Katherine Archuleta, the former head of the US Office of Personnel Management – resigned after a massive hack which left millions of federal employees’ records compromised.
It could be argued that both Steinhafel and Archuleta were unfortunate victims carrying the can for a number of failings which they couldn’t reasonably be expected to control in their entirety.
But there is of course a counter argument to be made – namely, that their position as senior executives mandated that they were responsible for the entire security function, a fact that was undoubtedly key in their decision to walk.
And, as IT Pro Portal says, what other option did they have?
Once a breach has been discovered, the damage is already done. What’s left is a game of musical chairs with the loser left standing, holding the blame.
As boards wake up to the reality of what happened they quickly realise the potential reputational and financial costs, possible regulatory implications and maybe even the threat of claims of individual negligence. At this point I can well imagine a game of pass the parcel ensuing, with no-one wanting to win.
While incident response plans kick in after a breach, the board will likely look to see if all reasonable security precautions had been taken.
Such precautions are not as simple as they once were – installing the latest patches and ensuring the corporate anti-virus software is up to date is no longer all you need in the light of the growing and ever-more sophisticated attacks faced by businesses.
Thus, executives are responsible for ever increasing security budgets and evolving defense systems that are becoming more and more complex.
And even that may not be enough – in the UK the Information Commissioner’s Office (ICO) recently disclosed how 93% of 459 breaches in Q4 of 2014-2015 were caused by a human element, either deliberately or, far more often, inadvertently.
This shows how even the best laid plans can be undone by the unexpected actions of staff who are either lacking in security training or awareness, or who are susceptible to social engineering – a prime example being the unfortunate tale of Thomas Meeston, CFO at Fortelus Capital Management, who lost his job and is being sued by the fund after being duped by a Friday evening phone call which cost the firm $1.2m.
So, what are executives to do at a time when criminals are increasingly understanding the value of databases and the personal and financial information stored within them?
A “We take security seriously” statement after the event doesn’t cut it with a public who would much prefer their data didn’t find itself on the dark web in the first place.
Instead, executives need to realise that the security parcel does end up in their hands – whether they like it or not – and plan and provision accordingly.
Image of vacant chair courtesy of Shutterstock.
Chris Froman
I thought the primary reason for Gregg Steinhafel’s firing was because of the disastrous launch of Target Canada, which cost Target far far more money then the data breach ever did.
Professor William J (Bill) Caelli, AO
Well – well – from the above….”This shows how even the best laid plans can be undone by the unexpected actions of staff who are either lacking in security training or awareness, or who are susceptible to social engineering..”
NO – NO – NO!!! STOP!!
This shows that the computer systems in use were not suitable for the purpose for which they were or are being used! Remember – 30 years ago – in the final version of the “Orange Book” of December 1985 – the “B2” level of assurance clearly defined a philosophy whereby the OS and all supporting systems were to be made tolerant of mistakes – inadvertent or deliberate. FULL tagging and mandatory policy control ( enabling all processes and data to be given a “profile” that is enforced under a “mandatory access control scheme” or “MAC” – NOT a “discretionary access control scheme” or “DAC” that belonged to the 1960s/70’s mainframe environment and switched circuit connection of dumb terminals) should be there now – and IT CAN BE!. “C2” is obsolete and pointless in the global Internet age.
NO – NO – NO again!
It really is beyond time for politicians, policy advisors, managers and the media alike to STOP BLAMING THE USER/VICTIM and really start blaming the industry itself. AND getting serious about it! Can you imagine a car industry where brakes are the responsibility of the purchaser?
We are capable of producing verified, properly controlled systems that tolerate practically all those human problems mentioned.
Remember Roger Schell’s GEMSOS.
Note the “Common Criteria” and its general purpose OS specs,
Note SELinux (in RedHat RHEL 6 and on),
Remember “Trusted SOLARIS” from SUN and
Remember even Trusted XENIX from TIS and – wait for it – Microsoft (yes, that early supplier of an Intel x86 migrated UNIX system) and so on.
It’s time to stop the blame game and get the industry to fix its products and services. As Bruce Schneier has said – the cybersecurity product/system industry – an industry that “simply should not exist”. BUT – it has become/is becoming a multi-billion pound game simply because governments worldwide have NOT lived up to their responsibility to safeguard their citizens and their nations in the cyberspace age through proper safety and security regulation of the ICT industry itself, like that which exists for practically ALL other industries, from pharmaceuticals, to air services, to car manufacture and sales and on….
Big Maq
Cannot really disagree with “We are capable of producing verified, properly controlled systems that tolerate practically all those human problems mentioned”. But, is regulation really the answer.
Consider this, the software / hardware industry creates / builds what the “market” demands, and the demand for secure systems has lagged the demand for other characteristics like performance, and ease of use.
Blame DOES rest with those who have a responsibility to protect their own systems and data. There is a difference between the lone consumer (who, perhaps, lacks the understanding) and the head of a large organisation (e.g. Target, US OPM) that has the resources to do something about it, and should be (or have staff who are) knowledgeable in this realm.
Encountered too many in Fortune 500 and Government who lack concern about security matters.
Regulation would likely become very prescriptive on solution(s) and lack the flexibility required to address what is a very dynamic problem.
How many times have we heard, after some disaster, that “We’ve complied with all the government regulations!”?
No. Public sackings is likely the most effective way to get attention on this. No doubt, there will be more coming.
Mark K. FSO-SIAO CISSP
First Professor, Bravo! You hit the nail on the head. I have been a security professional for over 30 years. I was charged with hardening systems for the C2 orange book, the DCID 6/3, DIACAP, PCI-DSS and NIST. BLUF, anytime we proposed any type of secure operating system (such as the ones above), the end user’s response was that it was “Too hard and made their pee-pee’s hurt”. This opened the door for Microsoft and its “ease of use” OS and applications into the federal arena, and the rest is history. Nothing will stop Losers (users) from making idiot mistakes, but if you build security in from the ground up using DAC and secure processes, you make it hard for both the Loser and the hacker to access you sensitive data.
roy jones jr
Well I suppose using the movie quote will work here as well
“If we cower in fear at the first sign of danger, maybe we should have someone oversee us.”
And these Executive Officers apparently were lazy and or reacted in fear to these network issues. You don’t have to resign or “feel compelled” to leave if you were doing what you supposed to be doing.