Six Cybersecurity Questions for the C-Suite

Countless breaches of the past year demonstrate that C-suite executives and company directors must rethink their security.

Earlier this year, Equifax saw its share price drop by 13 per cent within a day of revealing a data breach while last year Yahoo suffered a $350 million cut in its sale price to Verizon after reporting data breaches affecting one billion accounts — a number that was later increased to all three billion accounts with critical information stolen, including names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords.

The devastation of these incidents, alone, should grab the attention of executives and directors – but they are not alone. In a Centrify-commissioned study, The Impact of a Data Breach on Reputation and Share Value, Ponemon Institute examines 113 publicly-traded companies that lost an average share value of five per cent on the day that a material data breach was disclosed.

Ponemon found that the security posture adopted by the breached organization was affected by how quickly its share price recovered from that initial drop. Companies with what Ponemon describes as a high security posture which responded quickly to the breach event recovered their stock value after an average of just seven days, while companies with a low security posture that did not respond quickly experienced a stock price decline lasting on average more than 90 days.

The lessons are clear for both executives and directors: Cybersecurity must be a priority for the C-Suite as data breaches have a direct impact on an organization’s financial wellbeing. Business decision makers can start to understand the dimension of the cybersecurity challenge, and how to formulate appropriate solutions, by asking six simple questions.

What is the corporate impact of a data breach?

As well as the impact of a disclosed data breach on a public company’s value, the Ponemon study, reported that they scare off customers.

The study of thousands of consumers, IT and marketing professionals in the US, the UK and Australia identified that one third of consumers impacted by a data breach reported they had discontinued their relationship with the organization that experienced the breach.

So as well as being bad for investors, data breaches are bad for business.

Who is responsible for preventing data breaches?

If the answer is “our IT guys,” then you ought to feel nervous. Companies with a high security posture typically have a dedicated chief information security officer (CISO) as the senior-level executive responsible for ensuring that information assets and technologies are protected.

Are your passwords strong enough?

Regardless of what you are told, the answer is no: Passwords on their own, no matter how clever or how frequently changed, are never strong enough to deter a determined hacker — or a disgruntled employee.

Multi-factor authentication (MFA) — which mandates a second step to confirm your identity, such as a text-to-mobile verification code — provides much more robust protection for your data and deterrence to intruders.

What happens when your IT security is breached?

Working on the assumption of “when” not “if” provides a much more realistic and practical position towards today’s technology threat environment. A strategy to contain the damage will pay for itself many times over.

Organizations need to reduce their “attack surface” by tightly managing lateral access through privileged access management — ensuring that users have access only to the privileges, systems and data required to do their jobs — using systems such as Centrify’s just-in-time privilege, audit trail and compliance reporting capabilities.

What happens to security credentials when someone leaves your company?

Organizations require a centrally managed console from which security staff can push apps to each new employee based on their role, monitor that app access, provide single sign-on (SSO) to multiple applications and manage the devices used to access those systems.

This means you can revoke all that access as soon as an employee leaves. This functionality not only makes your on-boarding process more efficient — it makes staff departures much more secure.

Is your organization equipped for mandatory data breach reporting?

With such laws appearing in jurisdictions around the world, organizations need systems that can identify and respond to data breaches quickly and effectively to meet their legal obligations.

Answering these six questions are a good start to preparing for the worst. As Ponemon shows, companies with a high security posture that respond quickly to a data breach see their stock value recover after an average of just seven days.

If the worst does happen, then proactive investment in cybersecurity is your best protection.

Learn how to rethink your security with our e-book, “Rethink Security: A Massive Paradigm Shift in the Age of Access.”