Being a cybersecurity professional is a heavy responsibility and requires an exceptional amount of ethics and integrity. So, when cybersecurity software company Bitdefender released the results of their 2023 Cybersecurity Assessment, the results shocked me (more than they probably should have). The statistics on data breach cover-ups were alarming. 1
CISOs’ Duty of Care
As a CISO or Security Manager, your job is possibly the most stressful and important position in your organization. You’re tasked with keeping their most precious assets secure – their data, knowledge and information – and it’s a job that doesn’t take nights or weekends off.
Your team also has access to some of the most sensitive information and systems in your organization: they could be called to release emails with sensitive or confidential content, investigate logs on behalf of HR or threat-hunt through your systems, touching every corner of your architecture.
And as your digital ecosystem expands, so too does your duty of care to protect your company and stakeholders’ sensitive data.
Cybersecurity’s Data Breach Cover-Up Problem
Bitdefender surveyed 400 IT and security professionals working for businesses with more than 1000 employees in various industries and countries, including France, Germany, Italy, Spain, the UK and the U.S. The objective? Take a deep dive into the current cybersecurity challenges they’re facing.
Top Rated Cyber Threats
The report found that the cyber threats these professionals are most concerned about are:
- Software vulnerabilities and/or zero-days (53%),
- Phishing and social engineering attacks (52%)
- Supply chain attacks (49%)
No surprise there. Hacking, social engineering and malware top the list of threats that cause the most breaches, according to Verizon’s 2022 Data Breach Investigations Report. So, these are undoubtedly challenges to be concerned about.
Shocking Data Breach Cover-Up Stats
The thing that astounded me when reading this report was that 42% of these IT professionals have been told to not disclose a security breach at their organization. This number jumps to 71% when they looked at just the U.S. respondents.
Not only that, but 30% of respondents kept a breach to themselves, even though they knew it should be reported. Again, this number jumps to 55% of U.S. respondents.
While the statistics related to hiding data breaches across the board were disheartening, one thing is glaringly clear:
Cybersecurity has a breach reporting problem.
Data Breaches = The Cost of Doing Business?
I’ve heard at more than a few security gatherings a phrase that goes something like, “You don’t want to end up on the front page of the New York Times.” I can understand the sentiment, but I think that it’s a black-and-white view on an issue that is very, very gray.
There seems to be this notion that if you’ve never had a data breach, you are acing this security thing…and if you have suffered a data breach, you are clearly inadequate and solely responsible for everything that went wrong.
But let’s get one thing straight: if your business uses technology to function in any way, then breaches and incidents are part of the cost of doing business.
Redefine Success for Cybersecurity Teams
Where we go wrong is in how we define what success looks like to a security team.
Part of this comes from a lack of understanding. Organizations with security programs that are less mature may not adequately set expectations and often don’t understand the urgency of addressing their security posture.
This is exacerbated by the fact that cybersecurity as a profession is still new and undergoing growing pains, while at the same time being extremely visible to people who are not cybersecurity savvy. Breaches regularly make headlines, and the follow-up articles and fallout generate ongoing content, keeping your folly fresh in the minds of their voracious readers.
Data Breaches — More Common than You Think
With cybersecurity being new, quickly changing and misunderstood, it is easier for us to think in all-or-nothing terms. The same Bitdefender report found:
- 52% have suffered a data breach over the last 12 months (75% in the U.S.).
- 55% of respondents were worried that their company could face legal action because of mismanaging a breach.
But there is a big difference between Uber’s former CSO being convicted for choosing to hide and mismanage their massive breach, and you doing your best with the resources available to you and still ending up in an unfortunate breach situation.2
You can’t always control whether you get breached. But you can control how well you respond when it does happen.
Being Proactive and Transparent Are Key
It is nearly impossible to avoid cyber-attacks altogether, so you need to make sure that your organization is prepared to manage incidents and breaches when they do occur.
To do this, you need a documented incident response plan that’s been thoroughly tested through multiple tabletop exercises so that everyone knows what to do to identify, address and resolve incidents quickly.
Incident Response Plan Checklist
Your incident response plan should include or refer to:
- Roles and responsibilities, including the security team, the organization and external parties if applicable.
- Playbooks for specific types of incidents, including ransomware, phishing and data breaches.
- Communication plans that are in line with your core values and include clear reporting procedures, internal communication guidelines, templated responses and a process for engaging with your stakeholders (including customers and on social media).
- Crisis response training is a must-have for larger organizations but something even smaller businesses should consider.
- Notification requirements that have been thoroughly vetted by legal counsel.
- Information about cyber insurance you carry, cybersecurity firms you have business relationships with and law enforcement contacts (and when to contact them).
6 Benefits of Planning for Data Breaches
Having a plan of action in place helps companies ensure that they are acting swiftly to address these situations, communicating with transparency and taking the appropriate steps to avoid legal and regulatory action.
This proactive and transparent approach positively impacts your organization on multiple levels:
- You’re actively complying with breach notification requirements for every U.S. state and the EU (as well as other laws and Federal regulations).
- You’re helping law enforcement and other organizations understand the prevalence of cyber-threat activity, appropriately reporting criminal activity and facilitating due process.
- You’re creating a healthy organizational culture where ethics, integrity and transparency are valued – and establishing trust with your leadership and within your teams.
- You’re fostering an environment where people take responsibility for their mistakes, learn from them and resolve them quickly to minimize their impact. This is highly preferred over someone being afraid to make mistakes and hiding them from your security team, which could cause more damage and possibly put your business at risk.
- You’re helping reassure your customers that you’re holding yourself accountable for what happened and taking proactive steps to ensure that you’re seriously addressing the cause of the breach. This helps you retain customer trust, even if your organization suffers multiple breaches.
- And perhaps most importantly, you’re sending the message that being secure is more important than just appearing secure.
As cybersecurity continues to evolve and your organization innovates, grows and expands, you can play your part knowing that you’re doing it in a way that will earn the trust of your customers, partners and employees. And hopefully someday soon, we will see fewer inflammatory headlines about breaches and more reports that say they were breached…but they handled it well.
Get and Stay Ahead of Threats
With new technological innovations come more and more threat actors looking for ways to exploit them, which means that you are more vulnerable to threats than ever before. And yet, you need to continue to innovate to stay relevant, which in many cases involves implementing digital solutions and developing third-party relationships.
So, how can you ensure your organization stays secure?
You do this NOT by avoiding risk, but rather by…
- Understanding the possible risks that might impact you
- Being proactive to protect your organization, customers, partners and employees
- Seeing risk early so that you can confidently pursue strategies that are valuable to your customers and profitable and impactful for your organization
The ZenGRC gives you the ability to see, understand and take action on your IT and cyber risks. With a unified, real-time view of risk and compliance – framed around your business priorities – you’ll have the contextual insight needed to easily and clearly communicate with key stakeholders to make smart, strategic decisions that will protect your enterprise, systems and data, earning the trust of your customers, partners and employees.
Discover the power of ZenGRC! Schedule your FREE demo today.