The Capital One data breach detected on July 19, 2019, underscores the importance for employers and individuals to increase their cyber security efforts. According to Capital One, the breach resulted in the hacker gaining access to personal information related to credit card applications from 2005 to early 2019 for consumers, applicants and small businesses. Among the personal data exposed were names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked bank account numbers. Capital One said it will contact by letter U.S. individuals whose Social Security numbers or linked bank account numbers were part of the hack.
Executives and board members have a duty to protect their organization’s important assets — which includes non-public company, client and employee data. Today, this duty goes beyond tangible items such as machinery, buildings and intellectual property stored in physical form. This duty reaches into the intangible form such as the type of information organizations store electronically.
The information organizations store electronically can range from sensitive to confidential and may be found when using resources such as:
Recent headlines focus blame for cyber attacks and data breaches far beyond human resources and IT departments. The blame and liability reach up to executives and even board members for not anticipating, preparing, planning for or preventing these attacks.
High-profile data breaches show no sign of slowing down. In the first quarter of 2019 alone, there were 281 reported data breaches exposing more than 4.53 billion records, according to Data Breach Reports from March 2019, by the Identity Theft Resource Center. A Ponemon Institute “mega breach” report shows that the drastic increase in cyber attacks and breaches is primarily attributed to more sensitive and confidential information and transactions being moved to the digital space and becoming vulnerable to attacks. The report goes on to suggest while organizations are allocating more resources to addressing cyber security risks after the mega breaches that occurred in 2013 and 2014, organizations are still not taking sufficient steps to ensure their information is properly managed to avoid future breaches.
For example, only 9% of organizations surveyed indicated they have invested in sensitive data management, and only 8% invested in sensitive data classification. Sensitive data management and classification are critical to reducing cyber risks. Critics of the 2015 Anthem breach attribute the problem to the company’s alleged failure to evaluate and encrypt its data while “at rest” – or simply being stored within its systems, despite having protections in place for data “in transit” (e.g. email or other electronic transfers). Critics (and the ensuing lawsuits) of the breaches at Capital One, Marriott, and Target are examples of how easy it is for others (experts and non-experts) to become “Monday-morning quarterbacks” after a cyber attack or breach.
Ponder this statistic: the average time between infiltration and detection is over 150 days. The Ponemon Institute’s mega breach report went on to find that the majority of companies it surveyed actually did not detect the breach for over two years. The report also indicates that in almost half of the cases (46%), the breach is discovered only by accident.
The mega breach report acknowledges executives are more concerned with cyber security and data breaches than ever before. However, despite the increased concern, the fact remains that more conversations need to take place around what organizations are doing to ensure the information they are creating, receiving, storing or transmitting electronically is being adequately protected. Conversations should also include what additional insurance coverages, such as cyber liability, companies should be considering.
There is little doubt that while business leaders may be concerned with the threat of a cyber attack or data breach, financial priorities for the allocation of resources may not align with investing in additional cyber protections or insurance coverages. Despite the varying opinions and high emotions, one thing remains a constant – if your organization houses non-public or confidential information on its systems, these conversations need to be happening. Leaders need to evaluate industry and regulatory guidelines, as well as the type of electronic information they manage and whether they want to run the risk of being the next headline. As a former FBI Director has said: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats. For more information, contact us.
Send a Message
Find a Location