Security breaches are the stuff of nightmares for most corporate executives. The numbers continue to rise: There were a record 1,579 such breaches in the United States last year alone, a 44.7 percent increase over 2016--and the cost to organizations also is increasing. According to a study by the Ponemon Institute and IBM Security, the typical data breach costs a company $3.86 million, up 6.4 percent from the previous year. In addition, the cost of mega-breaches, where 1 million to 50 million records are stolen, can hit as high as $350 million, according to IBM Security. Such breaches also get a lot of attention, as companies like Equifax and Verison can attest. The costs to a company can range from lost business to the damage to a company’s reputation to the amount of time employees spend addressing the breach. Another cost of data breaches: jobs.
Researchers from Kaspersky Lab are finding that people in the victim organizations are losing their jobs. Increasingly--particularly in North America--C-suite executives are among those being shown the door in the wake of attacks. In the security firm’s newly released report “From Data Boom to Data Doom: The Risks and Rewards of Protecting Personal Data,” the researchers found that in almost a third of cases worldwide involving security breaches, people lost their jobs as part of the response.
The firings weren’t confined only to those employees in IT departments. Senior non-IT employees were among those held responsible in the wake of data breaches. Such employees were laid off in 27 percent of cases involving enterprises with more than 1,000 employees and 29 percent of those involving small and midsize businesses, with between 50 and 999 employees.
The report was based on responses from 5,878 interviews with businesses of all sizes in 29 countries.
The trend in higher-level non-technical executives losing their jobs is an indication not only of the growing costs involved with security breaches, but also the growing frustration among customers whose personal data is being exposed, according to Rob Cataldo, vice president of enterprise for Kaspersky Lab North America. Researchers also noted that the widening impact on job security should be a consideration when discussing security budgets.
“This report serves as a reminder that cybersecurity has real-life implications and is, in fact, everyone’s concern,” Cataldo said in an email to ITPro Today. “You can’t pinpoint the IT department and solely blame them for the cause of a data breach. Today, cybersecurity should be a priority and responsibility for everyone in the organization, from the C-suite, to third party contractors, interns and beyond.”
He noted that the security firm tracked only the consequences of C-suite level job loss during the past year, but added that “this is a continuous, increasing trend over the past few years as more large-scale data breaches have made headlines. In 2017, a wide variety of staff were let go from large-scale global companies as a result of data breaches--from CEOs to everyday employees who exposed the company customer data.”
The data protection challenges facing companies are growing rapidly. The trend of companies migrating to the cloud is an example. According to Kaspersky, 20 percent of sensitive customer and corporate data lives outside of the corporate perimeter. Cataldo said this makes data even more difficult to control because “when a data breach occurs, it’s difficult to place the blame on specific staff, but it is one of the major consequences we are seeing over the past year.”
In addition, more data is being moved around through mobile devices, the Internet of Things (IoT) continues to grow, and regulators around the world are putting greater emphasis on how data is stored, processed and protected. The European Union’s General Data Protection Regulation (GDPR) is the most significant example.
Not surprisingly, the larger the data breach, the more publicity it gets. This, in turn, means the higher probability that someone will be held responsible for the situation, which could include being fired. Still, there are numerous examples where employees were fired from small businesses that experienced financial loss or impact to their reputations in breaches that were less publicized.
“The general pattern is that despite the ever-increasing complexity and financial motivations of cyber-criminals, as the cybersecurity industry matures, the general public--and especially those impacted by sizable breaches--are less tolerant to these occurrences and, despite best efforts in many cases, security leaders are logical targets for placing blame,” Cataldo said.
The threat of security breaches is widespread. According to Kaspersky, almost every company collects and stores personal data of some sort, whether it's information about their employees – which 86 percent of companies do – or customers (88 percent), and almost a third find themselves with data that falls under the GDPR.
Almost three-quarters of companies surveyed believe they know how to manage data protection and compliance, though 46 percent of large businesses and 42 percent of SMBs globally were victims of data breaches over the past year, the researchers said.
Cataldo was asked whether the spreading of the responsibility of security breaches and the threat of job loss may result in employees becoming increasingly reluctant about reporting an event. That reluctance was already there, he said. Kaspersky in 2017 found that employees hide IT security incidents in 40 percent of businesses around the globe to avoid punishment.
“In some cases, companies introduce strict but unclear cybersecurity policies and put too much pressure on staff, warning them not to do this, or that or they will be held responsible if something goes wrong,” he said. “Such policies foster fears and leave employees with only one option--to avoid punishment, whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be telling.”
Cataldo also said that security professionals will continue to find and try to stop threats quickly, despite the threat of job loss. He said that to encourage the timely disclosure of problems, “organizations should focus on recognition and reward for early discovery and cost mitigation, rather than punishment for failure to prevent. With the right training and tools in place, cyber teams can find threats more quickly and minimize data exfiltration or other bad outcomes.”