We’re seeing a data security crises unfolding. The response from business executives? Don’t know, don’t care.
As the fines and class action lawsuits continue to stack up against Marriott Hotels, you might think that this story alone serves as a wake-up call for executives to begin treating data security seriously. However, according to some new studies on the subject, that isn’t the case.
According to the New York Post, business executives either don’t know much about data breaches or simply do not care. From the report:
Many American business big shots are clueless.
They don’t understand how customers and employees now view data breaches.
That is the conclusion reached by several studies, including one from Shred-it, an information security company.
American businesses are ignoring “the serious impact any data breach can have on their reputations and bottom line,” according to the latest Shred-it report.
Shred-it, which interviewed 100 corporate executives, 1,000 small business owners and 2,000 members of the general public, said business relationships can be fragile.
The report goes on to detail how consumers are increasingly of a different mindset here. This includes how more and more people are not only feeling that their information is not secure, but also that more people are feeling that not every data breach is publicly disclosed.
The study compliments another one conducted back in 2018 which further highlights what may really be going on behind the scenes between the IT team and the C-suite. In a report on Datex, there is an increasing sentiment amongst staffers that the C-suite does bare some responsibility for a data breach. From the report at the time:
While it might ruffle some feathers, the reality is that in today’s digital world, “checking the box” with cybersecurity just doesn’t cut it when it comes to protecting sensitive data, which is why the entire C-suite bears some responsibility in a data breach.
Many companies push the cybersecurity responsibility to the IT team exclusively, but that decision ignores the fact that the entire C-suite is impacted if unprotected data is compromised. If there are any takeaways from the breaches of Target, Sony and Facebook teach any lessons, one key lesson is that the responsibility to customers falls upon the CEO and causes overall distrust in the brand, with a potentially harmful impact on stock prices and current customers.
Still, a new survey conducted by Varonis, a data protection company, found that C-level executives and cyber pros are not on the same page when it comes to the implementation of data breach prevention tactics.
If anything, this shows that part of the problem why data breaches and leaks are so common is that there is a cultural problem going on internally within various businesses. For some executives, it gives the impression that the C-suite class only cares if an actual problem occurs. Only then serious action takes place. The problem is, when a security incident takes place – especially if it hits the media and it’s a big incident, that’s when the damage is already done. It’s too late to hit any “undo” button.
After monitoring security issues for some time, we know full well that the consequences of a breach can very well be catastrophic. Just last month, after a data breach, AMCA wound up declaring chapter 11 bankruptcy. One breach is all it took to see a company going from having major contracts as far as the eye can see to ceasing all operations altogether. This is far from the first time something like this happened as well.
For me, some of this is not too dissimilar from some of the attitudes of drinking and driving. Everyone knows full well it’s a bad idea. For some, however, they feel that they are somehow different. One might say, “I can drink and drive because I can handle my liquor”. They are then asked, “Well, that person died after drinking and driving, what do you have to say about that?” The response is, “Well, that person was an idiot. I’m different because I’m not an idiot.”
In the case of security breaches, it wouldn’t be surprising if some executive out there has a similar attitude towards security. That executive could be saying, “Well, those ones that get hit with a breach don’t know what they’re doing. We’re different. I can keep costs to a minimum and no one would even consider hacking us!”
It’s the lack of understanding and caring that will likely mean that these problems are going to continue to be a problem. It’s why setting strict and high standard laws is still a good tool to shift these attitudes in the first place. It won’t change absolutely everyone’s mind on the matter, but you can bet there are a few executives out there who will see potentially hundred million dollar fines and think, “Maybe we should make investments into our security.”
It’s not a silver bullet solution, but considering how bad things still are, any step in the right direction is a positive one.
Drew Wilson on Twitter: @icecube85 and Facebook.