Want to Keep Your Job, Mr. CEO? You’d Better Take Data Security Seriously

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those high-profile companies were forced to resign.

Security concerns have become a critical business problem, yet they are still handled as a technical problem – mainly by IT departments. Thankfully, many organizations have started bringing together IT executives and non-IT leadership together to reshape their approach towards security concerns.

CEOs need to know what they should worry about when it comes to protecting the company’s data against cybercriminals and malware – and there are plenty of high-profile examples they can learn from.

When Equifax, one of the top three credit-reporting agencies in the U.S., reported a cybersecurity breach in September 2017, it revealed that 143 million accounts had been exposed – including names, birthdates, social security numbers, addresses, and driver’s license numbers.  

News agencies marked the Equifax breach as the consumer data security breach of the decade. The CEO, CIO, and CISO all immediately stepped down, and former Equifax CEO Mark Begor is currently being questioned by the U.S. Senate about private sector data breaches.

Begor said that in 2018, there were more than 1,200 data breaches against U.S. corporations, which showed that companies of all types were falling victim to these crimes.

“These attacks are no longer just a hacker in the basement attempting to penetrate a company’s security perimeter, but instead are carried out by increasingly sophisticated criminal rings or, even more challenging, well-funded nation-state actors or military arms of nation-states,” he said.

The company also planned to spend $1.25 billion more between 2018 and 2020 on security and information technology as a result of the incident.

Some four years earlier, U.S. giant retailer Target underwent massive data hack that compromised a tremendous amount of customer information, including more than 40 million credit cards numbers, and the addresses, phone numbers, and other personal information of 70 million customers. The company was left with more than $1 billion in breach-related costs.

After the attack became public in December 2013, Target’s reputation took a hit. Its comparable-store sales in the U.S. fell 2.5 percent in the fourth quarter.

Other companies will face pressure to hold executives accountable for their handling of data breaches.

‘‘It sends a very loud and clear message that nobody is indispensable, and CEOs have to mind the store in every respect,’’ said Howard Gross, at Boyden Global Executive Search in New York. ‘‘After something like this, a lot more CEOs will be taking a hard look at their security.’’

The data breach was the last straw for Target’s directors, who replaced Steinhafel as chairman and CEO. He had been at the chain for 35 years.

The Uber data security breach from three years ago hit the headlines again in September 2018, when the company agreed to pay $148 million in settlements across 50 states in the U.S.

That data breach, which affected 50 million passengers and 7 million drivers in 2016, was covered up by the company, which did not report the incident until a year later. At the time, then-CEO Travis Kalanick and his senior leadership of the privately held peer-to-peer ridesharing company decided to pay hackers $100,000 – hiding the evidence and burying the data breach.

The fact data was compromised was only disclosed in November 2017, after the new CEO Dara Khosrowshahi took the wheel of the ride-hailing giant and ordered an internal investigation of the breach. As a result of the investigation, Khosrowshahi fired chief security officer Joe Sullivan and Craig Clark, a senior lawyer who reported to Sullivan.

Uber's investigation determined that no customer or driver data had actually been abused by the hackers.

In December 2014, Sony Pictures revealed that cybercriminals leaked employee information, personal emails from then-CEO Amy Pascal, and details of several upcoming film releases. The attack also meant Sony’s critical systems were taken offline and were not restored for two months.

"Most of SPE’s financial and accounting applications and many other critical information technology applications will not be functional," Sony wrote in the filing. That's because the breach caused a serious "amount of destruction and disruption," and the company is trying to "avoid further damage by prematurely restarting functions."

The reputational damage to the studio was greater than the financial one – which was still significant. After taking into account its insurance policies, the hack cost Sony $15 million.

Given the quickly evolving and multi-layer threats to corporate data, it is likely that every company will be targeted at some point. In fact, with ransomware estimated to attack a business every 14 seconds during 2019, for example, it’s a safe bet to say your turn under the media microscope may be coming.

Establishing a reputation for cyber leadership – showing an active interest in making data protection and cybersecurity a business priority – is the best way a C-level executive can hold onto their job following a data loss incident.

You can start by asking your IT staff a few questions to ensure they’re following best practices:

• Are they using the most enhanced encryption to ensure the privacy of company and customer data?
• Is there a disaster recovery plan in place that can get your business running again within minutes?
• Is the data protection solution they use enhanced with integrated anti-ransomware and cybersecurity technologies?
• Are all of your files, apps, and systems backed up, with one copy safely secured off-site?
• Does the IT team have a way to undeniably certify that files are authentic and unchanged?