CEOs should be fined for firms’ security failings, suggests report

A UK parliamentary report suggests that vulnerabilities like SQL injection, or a history of not addressing breaches, could factor in to slashed pay.

Security heads sick and tired of trying to get their bosses to spend money on cyber defense are going to love this: a UK parliamentary report suggests tying CEO pay to cybersecurity performance.

#SecurityFail? #StickItToTheCEO!

Or, to put it more precisely, fines should go up when a firm’s got a history of breaches and doesn’t properly clean up after.

Likewise if the breach is a “plain vanilla” attack, such as SQL injection, the report suggests.

The ICO [Information Commissioner’s Office] should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine.

Ahh, yes, SQL injection: a web attack that crawled from the same primordial soup as the web itself, and one that’s as long-lived as a zombie, introduced again and again by apps getting rushed to the web without proper code security checks, as noted in a recent State of the Internet report from Akamai that found SQL injection is still glued to the top as the No. 1 web app attack.

As Naked Security’s Mark Stockley has noted, SQL injection attacks can be …

…killed stone dead by the simple expedient of using parameterised database queries – but only if you have the discipline to use them everywhere, all the time.

…yet still we get breaches like TalkTalk: one that some have attributed to hackers exploiting a SQL flaw following a distributed denial of service (DDoS) attack in late 2015.

The incident cost the company £60m ($88m). TalkTalk later appointed PwC to investigate the breach, leading TalkTalk CEO Dido Harding to admit that the company “underestimated” cybersecurity.

The government’s report comes from the UK’s Culture, Media and Sport Committee.

TalkTalk CEO, Dido Harding, accepted accountability during oral evidence in the wake of the breach. The parliamentary report quoted her:

…line responsibility for keeping our customers’ data safe is split across a number of teams, so the accountability for security policies, the accountability for security audit, the accountability for security best practice, knowledge and dissemination within the organisation sits with the security function. The implementation of systems and processes that comply with those policies sits with my technology function. The implementation of the human elements of security—safe passwords, usage, complying with call centre policies—sits within my operations function. So it is impossible in a telecoms company to say that security only sits with the director of security.

Not to let others off the hook, mind you. The report suggests that a company’s CIO or security head should be responsible for day-to-day security operations, and that the CEO should lead crisis response to major attacks.

But at the end of the day, the buck’s got to stop at the chief’s desk. From the report:

Cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack. To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.

Currently, the ICO can only fine a firm £1,000 ($1,460) for delaying the disclosure of a breach. As it is, the ICO has handed out fines following SQL attacks on three occasions. Even these small fines “should have served as a warning to others, including TalkTalk,” the report says.

SQL attacks are so common, it’s not a question of “if,” the report notes; it’s a question of “when.”

The report references input from The Institute of Chartered Accountants in England and Wales, which argued that businesses have to see security breaches as “an inevitable part of being in a digital economy.”

Hence, board members should be ready to publicly lead businesses’ responses to breaches, the institute said, though it’s “unclear how many board members would be comfortable taking on such a role today.”

ZDNet quotes Jesse Norman MP, chairman of the Culture, Media and Sport Committee:

Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment.

Failure to prepare for or learn from cyberattacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

As the TalkTalk case shows, the reality is that cyberattacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appears to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

They should now publish as much of the [PriceWaterhouseCoopers] investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes.