By Deryck Mitchelson, Field CISO EMEA, Check Point Software Technologies.
I am agitated by the number of breaches that are taking place. As a CISO, I have never seen so many breaches, ever in my life. In quarter three of this year, roughly 110 million records were breached – and that was quarter three alone. Data breaches are exposing the private, sensitive information of millions of people, potentially subjecting them to identity theft, financial fraud, and stalking, which needless to say, endangers physical welfare.
For me, it feels as though we are growing numb to all of this. We feel as though this is part of the new normal – that data breaches are inevitable and acceptable. What we’re forgetting is that on the back of these breaches, it’s your data, it’s my data that is being compromised.
How much data needs to be breached before people stand up and say ‘that is enough’?
***
Right now, in Australia, people are being forced to reapply for passports and drivers’ licenses due to a recent data breach.
Companies should be asking themselves, ‘Are we working strategically and properly, at the C-level and with security partners to ensure that we are achieving the level of prevention that we perceive ourselves to have? Have we ensured that all cyber security configurations and settings are switched on so that we are as protected as we can be?’
Companies should be asking their vendors, ‘What more can we do to ensure that we avoid scenarios similar to the one playing out in Australia? How can we improve management of our security investment? Are we getting the right level of threat intelligence? Are we seeing false positives? Is this integrated effectively with the rest of our stack? Is this supporting our larger strategy as we move forward?’
I don’t think that these conversations are happening. Most companies aren’t strategically engaged around security at a high-level. Instead, here’s what we’re seeing…
***
Upon experiencing breaches, companies deploy strategic PR campaigns that deliberately manipulate public perception. The messages start with a simple ‘we can’t confirm whether or not there’s been a breach’. A few days later, campaign managers come out and say ‘It looks like there has been a cyber incident, but it appears minimal, and we believe that no customer data has been accessed’.
Shortly thereafter, they return with a line around how ‘Some limited quantity of customer data has been accessed’. Later, they say ‘There’s been quite a lot of customer data breached, but there hasn’t been any financial data released’.
Eventually, they get to the heart of it by admitting, ‘There’s been X number of million records breached and hackers have actually obtained access to financial data, and national insurance numbers (or similarly valuable information)’.
As PR teams publish press releases, the consumers’ voice and the consumers’ experience seems to be excluded from the conversation. They feel forgotten. At the end of the day, consumers are seriously affected by these breaches. It’s just not good enough when companies issue empty apologies. “Sorry” means nothing to consumers who have to obtain new passports, new phone numbers or new national identity numbers.
We shouldn’t be in a world where data is treated in such a way and where consumers are treated that way.
***
I believe that we have reached a tipping point. Globally, businesses stand to lose $4.7 trillion in consumer spending due to poor consumer experiences. More than 40% of UK customers report that they will forever stop spending money with a business that has experienced a data breach. It’s easy to ignore customers, but it’s nearly impossible to win them back.
Companies need to get their heads out of the sand and take responsibility for what they’re doing, how they’re managing consumer data, and the real impact that poor data management is having on consumers. Again, an apology isn’t adequate. Prevention is the answer.
In addition to prevention, it feels that now is the time for companies to step forward and fully prioritize an ethical and transparent approach to data protection, one where we put consumers first. Perhaps companies should be forced to advertise a link to all breaches including the size and impact. Something that helps consumer decide if they engage or not. After all, putting consumers (and corresponding data) first is the secret to corporate longevity and growth.
For more insights from Check Point’s Field CISO EMEA, Deryck Mitchelson, see CyberTalk’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, more expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.