IT engineer configuring servers baranozdemir/Getty Images

Cybersecurity Starts at the Top

Data breaches might feel like a fact of modern life, but they are an artifact of modern indifference. Companies, regardless of size or sector, need to recognize their responsibility, inescapable in today's technology-based economy, to be supremely vigilant and pro-active about securing their data and systems.

LONDON – Every time a major corporate cybersecurity breach occurs, the response looks pretty much the same: cry “havoc!” and call in the cyber first responders to close the breach. But by the time an executive or two stands before a few government committees, proffering some explanation and pledging to beef up security protocols, people – including the hackers – have largely moved on. And with each breach, the cycle accelerates: people either dismiss the threat – it probably won’t happen to them – or accept it as an unavoidable pitfall of modern life.

The truth is that the threat posed by cybersecurity breaches is both acute and avoidable. The key to mitigating it is to understand that cybersecurity isn’t simply a technology issue; it is also an urgent strategic issue that should be at the top of the agenda for every board and management team. After all, from Yahoo! to Equifax, data breaches have often been rooted in internal forces of human error, carelessness, or even maliciousness.

Already, the scale and speed of attacks is massive. It has now emerged that the 2013 Yahoo! data breach affected all three billion accounts. In May, the WannaCry ransomworm attack affected dozens of the UK’s National Health Service trusts, and spread globally at lightning speed.

The recently revealed Equifax data breach – which occurred during two months when the company had a patch to a known security vulnerability, but hadn’t applied it – gave the hackers access to 145.5 million consumers’ personal and sensitive data. According to testimony provided by now-former Equifax CEO Richard F. Smith to the US Congress, the breach reflected the negligence of one individual in the IT department.

The risks are only growing. The United Kingdom’s National Cybersecurity Centre, founded last year, has already responded to nearly 600 significant incidents. The department’s director recently predicted that our first “category one cyber-incident” would occur in the next few years.

One problem is that many organizations simply don’t have cyber-security on their radar. They believe they are too small to be a target, or that such breaches are limited to the tech and finance sectors. But, just recently, the US fast-food chain Sonic – not exactly a tech giant – revealed that a malware attack on some of its drive-in outlets may have allowed hackers to secure customers’ credit card information.

The World’s Opinion Page

Help support Project Syndicate’s mission.

Donate

The fact is that many types of companies use, if not depend on, technology. And they collect many types of data, about everything from customers and employees to distribution systems and transactions. Consumers often don’t comprehend the extent of companies’ data collection, failing to understand even the basics of the “cookies” being used when they surf the web. According to a March 2017 report by the Pew Research Center, many Americans, for example, “are unclear about some key cybersecurity topics, terms, and concepts.”

Of course, consumers must be informed and vigilant about their own data. But even those who are, find that if they want to engage fully in modern life, they have little choice but to hand over personal data to organizations in both the private and public sectors, from utility and finance companies to hospitals and tax authorities.

With automation, this trend will only accelerate, with people counting on technology to do everything from ordering groceries to turning on the lights and even locking the doors. The power this gives to the likes of Google and Amazon, not to mention an ever-growing array of startups, is obvious. What is not obvious is that consumers can rely on companies’ knowledge and duty of care to protect the information they collect.

No company can afford a laissez faire attitude about cybersecurity. Yet even tech companies took some time to recognize the extent of their technical responsibilities, including the need for a C-level executive to manage their technology needs. Not long ago, such companies often maintained a “helpdesk” mindset: just make sure people could use the product and have someone to call if something went wrong.

But, with data breaches proliferating, often with business-critical consequences, there is no excuse for such inertia. Such breaches can cripple companies both operationally and financially, owing to the direct theft of funds or intellectual property and the cost of plugging the security hole or paying punitive fines. They can also diminish a company’s reputation and credibility among investors, business partners, and communities, even in cases when the breach is minor and doesn’t compromise sensitive information.

While board members do not all have to be technology experts, they do need to keep up with the state of their company’s technology, including how well secured it is. A board’s risk committee can conduct in-depth reviews. But regular status updates to the full board, like those for other crucial issues affecting the business, are also needed.

In today’s world, no organization – public or private, commercial or non-profit – has an excuse not to be supremely vigilant and pro-active about securing their data and systems. It is not enough to meet legal requirements, which don’t keep up with technological change. Instead, those requirements should be viewed as a starting point for a much more robust, closely monitored, and effectively adapted system that truly protects the data on which our societies and economies increasingly depend.

Data breaches are not a fact of modern life. They are an artifact of modern indifference.

http://prosyn.org/m4fTFlI;
  1. China corruption Isaac Lawrence/Getty Images

    The Next Battle in China’s War on Corruption

    • Chinese President Xi Jinping knows well the threat that corruption poses to the authority of the Communist Party of China and the state it controls. 
    • But moving beyond Xi's anti-corruption purge to build robust and lasting anti-graft institutions will not be easy, owing to enduring opportunities for bureaucratic capture.
  2. Italy unemployed demonstration SalvatoreEsposito/Barcroftimages / Barcroft Media via Getty Images

    Putting Europe’s Long-Term Unemployed Back to Work

    Across the European Union, millions of people who are willing and able to work have been unemployed for a year or longer, at great cost to social cohesion and political stability. If the EU is serious about stopping the rise of populism, it will need to do more to ensure that labor markets are working for everyone.

  3. Latin America market Federico Parra/Getty Images

    A Belt and Road for the Americas?

    In a time of global uncertainty, a vision of “made in the Americas” prosperity provides a unifying agenda for the continent. If implemented, the US could reassert its historical leadership among a group of countries that share its fundamental values, as well as an interest in inclusive economic growth and rising living standards.

  4. Startup office Mladlen Antonov/Getty Images

    How Best to Promote Research and Development

    Clearly, there is something appealing about a start-up-based innovation strategy: it feels democratic, accessible, and so California. But it is definitely not the only way to boost research and development, or even the main way, and it is certainly not the way most major innovations in the US came about during the twentieth century.

  5. Trump Trade speech Bill Pugliano/Getty Images .

    Preparing for the Trump Trade Wars

    In the first 11 months of his presidency, Donald Trump has failed to back up his words – or tweets – with action on a variety of fronts. But the rest of the world's governments, and particularly those in Asia and Europe, would be mistaken to assume that he won't follow through on his promised "America First" trade agenda.