​Does the board level need to lawyer up about data breach protection?

In the shadow of Ashley Madison where personal profiles have been breached and there have been examples of public servants using their work email addresses for extra curricular activities.

By definition a data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill.

So what is the enterprise position on this? How do you deal with this is it merely about protecting one’s backside or can you be more pragmatic?

How large is the problem?

You can see from the following graphic that there have been broad and extensive examples of data breaches. This ranges from hacks, accidental, insider and where technology has been stolen.

There are so many examples that they actually don’t fit into one screen shot. The names include large enterprises that have professional IT Security organisations and a CISO. Most of these organisations are larger than I’m sure many of your own institutions.

The question is if they cannot avoid this risk, then how can you?


Call in the Lawyers

It is interesting to think about if they should be the first guys to call. For most organisations they need to first call their insurance broker and understand what cyber security policy coverage is included? For most organisations, there will be some degree of insurance protection that has been included. But I can guarantee if you have a large breach (or a big bubble as in the picture) then whatever coverage you have will be inadequate.

Yes, do call the lawyers. But that’s then all about damage control as it is too late.

The key is that the trend is for many of these data breaches to also include an element of current and future threat. It is impossible to have exact clarity when it is going to be all clear.

The Price of Hacked Information

Everything has a price, here are a few examples to illustrate the extent of the problem. It is interesting to understand that the market for certain information is much more lucrative for the hackers. For more information, I suggest that you check out [1]

Yes, that’s correct there is a big payday for a DDOS on a Gambling website, but only $1 to hack my webcam.

The True Cost

Unfortunately the true cost of a data breach is ongoing. From my own personal experience I have the fun experience of receiving a random email at least once every second month. The most recent was from a Bank on the USA East Coast for a customer satisfaction survey.

This all relates to a hacked email account from two years ago, there is a long tail on the inconvenience of this data loss. Since then I’ve applied for a micro loan in London, had a utility van serviced in mid west USA and now have a new bank account on the east coast.

For every case, after I check that this is a real company and not a phising site – then I will make contact and try to ensure that my identity theft is made aware. Of course the funniest was the London loan and after I reported this to the Financial Institution, I asked would they share the details of the address etc. They declined, which is funny as I thought that was myself that was the innocent party.

Regardless of which organisation and the measures that you take, it is impossible to guarantee that your organisation will not experience a data breach. You just have to hope that is a minor one and not one that makes the headlines, thus being one of the bigger bubbles.

Read more: ​Microsoft insists Outlook Web Access is secure after hacking reports

Join the CSO newsletter!

Error: Please check your email address.

Tags board leveldata breachIT Securitydata protectionAshley Madisonhackinglawyer

More about EUFacebookHotmailIT SecurityPayPalPremiumTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place