IT security has gone from being a backroom IT issue to an executive boardroom topic of discussion. Many would agree that organizations that do a good job of reducing their IT security risks and stay out of the news, create a competitive advantage in their market.
It’s evident that educating the board on cyber security and the need for an enterprise risk management strategy can go a long way to prepare a company for that critical time when, not if, a breach occurs. CISOs worldwide tell me that the more cyber literate the board is, the more prepared the company is and the better chance it has of protecting its reputation and ensuring long-term survival.
I just returned from a trip to Australia where I spent time with customers and attended the AISA (Australian Information Security Association) national conference, which brought together more than 1,000 security professionals from across the region.
At the conference, I spent some time speaking on the topic of disclosure. Unlike many other countries, Australia, at present, does not force organizations to publicly disclose data breaches, which could put personal data in the wrong hands.
Consider the implications and behavior of this. Breaches in Australia are common, but disclosing them is not. With so few people knowing that breaches have occurred, there is a perception that cyber security isn’t a problem when, in fact, it is a critical issue.
The Australian law around disclosure is currently under review, and if it is enforced by the end of 2015, then this would have huge PR, legal and financial implications for organizations doing business in the region.
Disclosure laws vary greatly across the globe. New proposals in Europe, for example, could mean that any organization that collects data from European residents (whether the company is located in Europe or not) will be required to disclose a data breach to a European authority within 72 hours. This timeline is even more stringent than current US laws, which require companies to disclose an incident within a month.
Furthermore, these new regulations will require that companies notify customers of a breach as soon as possible; not complying with these laws could cost companies up to 2 percent of their global revenue. Disclosure laws such as these are primarily put in place to protect customer data, but they also place a high regulatory burden on companies.
Many companies, even large enterprises, have limited resources, and every minute taken up reporting to regulatory authorities is time taken away from protecting customer data and rectifying the problem. Disclosing a breach too soon can also lead to poor communication and provide hackers with an opportunity to further exploit customer information. Take the recent TalkTalk breach as an example, as well as the subsequent press reaction.
Variations in disclosure laws and the importance different countries place on the issue of cyber security are contributing factors in the way in which organisations handle data breaches. Importantly, disclosure laws provide organisations with a framework and guidelines within which to operate.
Companies need to use this as a catalyst to prepare themselves for when a breach happens, and put a plan in place for how they will communicate this to authorities and customers. Some organizations, such as Mumsnet, have demonstrated that it is possible to manage a breach quickly and efficiently whilst protecting the brand and customer experience. Organisations could learn from this example when preparing for security breaches.
Today, companies remain under increasing pressure to handle breaches effectively and minimize the impact to their customers, their brand and their bottom line. Educating senior executives and key stakeholders on how to communicate effectively is vital.
With this in mind, I would argue that disclosure is a compelling reason for organizations to continuously invest in people, technology and resources. The absence of disclosure reduces the need to force organizations to continuously protect their customer’s data, and it removes the topic of competitive advantage or disadvantage.
Title image courtesy of ShutterStock