When public companies experience a data security breach their senior IT officials are often quoted when these events are announced. With the recent launch of high availability system recovery solutions InstantRecovery and InstantRecovery Server, Raxco President Bob Nolan has discovered a surprising trend when reaching out to these IT executives; many are no longer with the affected companies. There seems to be a cause and effect relationship between security breaches and employment.
You need to be proactive when planning for security breaches and unexpected system downtime. There are two kinds of damage here; the first one is hard to control and comes from the breach itself. The second is self-inflicted and due to an inadequate response to the breach. Sure, having a security “insurance policy” might not be top of mind when you have your daily barrage of IT issues to deal with but when it comes down to it, your job might depend on it.
The most immediate questions in the wake of an attack are how fast are you going to get your systems up and running securely again; and what is the impact on the clients and customers? If the recovery time is measured in days or weeks instead of minutes it could mean trouble. System recovery to a “known and trusted” state is the goal in the wake of any breach. Being able to recover quickly demonstrates competence and control of the situation. This tells your employees, vendors and customers you are managing the problem. Recovery is also a costly endeavor as we discussed in a prior post, system downtime costs more than you think.
#1 Security Issue: Maintaining Customer Trust
Look at the Target security breach in late 2013 that compromised 40 million customer credit and debit cards and 70 million customers’ private information or the 2007 TJX security breach that compromised 100 million customer credit cards.
What do these two stories have in common? Target CIO Beth Jacob, TJX director Gary L. Crittenden and Senior Executive VP and Group President Alexander W. Smith each resigned in the aftermath of their highly publicized security failures.
Even more recently, five months after the Target breach was reported, CEO Gregg Steinhafel also resigned. The pressure was on for Sony’s CEO, Howard Stringer, to resign in 2011 after security breaches targeting gamers in the Playstation Network exposed customers’ personal data. Stringer finally resigned as CEO in 2012, although he remained on as Chairman until 2013.
Prior to the discount retailers’ troubles, you may remember back in 2006 when AOL disclosed it had publicly released search data from 650,000 of its customers – a huge breach of privacy and customer trust. In that situation, Maureen Govern, AOL’s CTO, resigned and AOL terminated two additional employees in the research division of the company, which was responsible for the release of the data.
In another story, after failing to prevent a series of security breaches in 2006, Ohio University CIO William Sams also resigned and the university fired two top IT managers.
The list goes on and on. Whether the breach was conducted at a POS system, due to a cyber/malware attack, employee neglience, or other software failure the cause really doesn’t matter. IT execs must be prepared to protect customers and keep operations running on pristine systems with as little downtime as possible.
Heads Will Roll…
The pressure and demands from intense media scrutiny and understandable customer outrage after a security breach bring forced accountability.
“The problem is that many times, the workers who are held responsible for breaches are only following what until then had been accepted practices within their companies…
“…and they may not have had the responsibility or authority to change the practices” -Tim O’Pry, CTO at The Henssler Financial Group
The security breach a CIO, CISO, IT manager or CEO loses their job over may be a known vulnerability their team could have already been working to correct but some attacks are so sophisticated and new that they are difficult for even the seasoned IT executive to anticipate. Unfortunately, IT heads will be the first to roll.
Target’s breach could have been prevented. In June, Target filled its first CISO role in the aftermath of their devastating security breach. Neiman Marcus is also searching for its first chief information security officer after their data breach that affected 1.1 million credit cards. Still, these are both cases of too little, too late.
The moral of the story is negligence is not an option when customer trust is at play. Instead of taking a week or two to reimage your machines after a serious hack, learn more about preventing unnecessary downtime associated with software failure and cyber attacks.