About Hilary Tuttle

Hilary Tuttle is the editor of the Risk Management Monitor and Risk Management magazine.

Holding Executives Accountable for Cybersecurity Failures

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks. According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently. Her performance bonus was slashed by more than a third as a result of the company’s security failings.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Customers Accept Hacking Risks, But Hold Businesses Fully Accountable for Cyber Risk

While most consumers are coming to consider hacking normal, they are definitely far from letting businesses off the hook for their failures to guard against cyberthreats. According to a new study from enterprise security firm Centrify, about three quarters of adults say it is probably or definitely normal and expected for businesses and large organizations to be hacked, and 66% of adults in the U.S. are at least somewhat likely to stop doing business with a company that has suffered a cyberbreach – a figure that rises to 75% in the U.K.

Consumers also firmly believe that the burden of responsibility for guarding against cyberrisk falls squarely on businesses. On a 10-point scale, two thirds of respondents rated corporations as a nine or 10 in terms of how responsible they should be for preventing hacks and securing customers’ personal information. When companies are hacked, they consequently also bear the burden of being fully accountable to their customers, and many are failing, further compounding the odds of concrete consequences from clients. In the U.S., 41% said that corporations do not take enough responsibility when they are hacked, a sentiment shared by 50% of U.K. respondents.

The study found that 21% of U.S. consumers say they are “very likely” to stop doing business with a company that has been hacked. Those most likely to do so include those who have had their personal information compromised in a hack, those who are tech savvy, and those who are frequent online shoppers.

“The study clearly points to the need for organizations to dramatically bolster their security systems and do everything in their power to protect consumer information and prevent a breach,” said Tom Kemp, CEO of Centrify. “When companies put customer data at risk they are really putting their entire business at risk. Consumers simply will not tolerate doing business with hacked organizations. It’s time for organizations to take full responsibility for their security and put the proper measures in place once and for all.”

Check out some of the study’s findings in the infographic below:

Centrify Infographic

Companies Failing to Use Technology to Fight Fraud

While an increasing number of malicious actors are using technology to perpetrate fraud, the vast majority of companies are not using the technological resources available to fight it. According to KPMG’s new report Global Profiles of the Fraudster, technology significantly enabled 29% of the 110 fraudsters analyzed in North America and 24% of the 750 fraudsters analyzed worldwide. What’s more, 25% of frauds that hinged on the use of technology were detected by accident rather than safeguards or analytics, compared to just 10% spotted by accident in cases where the criminals did not use technology.

Indeed, proactive data analytics was not the primary means of detection in any North American cases and was only used to detect 3% of fraudsters worldwide. In North America, the most common means of detecting fraud were: tip offs and complaints, management review, accidentally, suspicious superiors and internal audit.

KPMG found that weak internal controls contributed to 59% of frauds in North America. Companies are failing to focus on strengthening controls, the firm reported, despite the increasing threat of newer types of frauds, such as cyber fraud and continued traditional forms of wrongdoing.

“In addition to ensuring internal controls are thoughtfully designed, companies should deploy effective training and instill a culture of integrity so that controls are properly executed,” said Phillip Ostwalt, partner and Global Investigations Network Leader at KPMG LLP. “Companies should also adopt new controls as their risk profiles change. Ongoing risk assessments can help cost-constrained companies ensure they are properly investing in such controls.”

Who are these fraudsters?

  • 65% are between ages 36 and 55
  • 39% are employed by the victim organization for over six years, most in operations, finance or office of the chief executive
  • 42% operate in groups and 52% of collusive frauds involved external parties

Check out the infographic below for more of the study’s findings:

Profiles of the Fraudster InfographicFraudster Infographic Women

EgyptAir Flight MS 804 Crash Confirmed, Killing 66

Egyptian authorities believe they have found debris from EgyptAir Flight MS 804, but the search remains on for the wreckage of the Airbus A320 traveling from Paris to Cairo that vanished from the radar and crashed into the Mediterranean early this morning.

According to the Greece’s defense minister, Greek controllers attempted to contact the aircraft when it crossed through the country’s airspace but could not get a response. The plane made “sudden swerves” before dropping from 37,000 to 15,000 feet and disappearing from radar. The small commercial jet was about half full, carrying 66 passengers from a range of nations, including 30 from Egypt, 15 from France, two Iraqis, and one person each from Britain, Belgium, Kuwait, Saudi Arabia, Sudan, Chad, Portugal, Algeria and Canada.

egyptair map reuters

No cause has been officially identified, but many security analysts and government officials believe that an act of terrorism may have downed the plane. There were no documented red flags before the plane disappeared: local weather was good, the plane was on its fifth flight of the day, the pilot and copilot had logged a significant amount of flying experience, and Greek aviation officials said the pilots did not mention any issues.

According to Reuters, Egyptian Prime Minister Sherif Ismail said it was too early to rule out any possible explanation, and French President Francois Hollande told reporters, “No hypothesis can be ruled out, nor can any be favored over another.” Egypt’s civil aviation minister said a terrorist attack was more likely than a technical failure, however. Two U.S. officials told CNN that the government is operating on an initial theory the flight was taken down by a bomb, but cautioned this is not yet supported by a “smoking gun.” No terrorist groups have yet claimed responsibility for the crash.

As Time noted:

Egypt has been the victim of terrorism in the skies relatively recently. Last October, a Metrojet charter plane filled with Russian tourists crashed into the Sinai Desert shortly after taking off from the Egyptian Red Sea resort of Sharm el-Sheikh, headed to St. Petersburg, Russia. All 224 passengers died in the crash. Investigators quickly speculated that a home-made bomb had been placed aboard the aircraft and in February the Islamic State, or ISIS, claimed responsibility, saying that it had indeed smuggled an explosive device aboard the aircraft.

In March, a passenger aboard an EgyptAir plane flying from Alexandria to Cairo hijacked the plane wearing a fake suicide belt, an incident that raised deep concerns among aviation authorities about the anti-terrorist measures in place on EgyptAir flights, and at Egyptian airports.

Beyond the region, a number of high-profile losses have hit the aviation industry as a whole over the past two years, including the disappearance of Malaysia Airlines flight MH370 and the crash of MH17, a Boeing 777 shot down over Ukraine. As we reported at the time, however, crashes actually continue to decrease. While the insured losses from a plane crash can be significant, the capacity in the aviation insurance market has continued to keep rates stable and relatively low.

In the terrorism insurance market, recent losses have also not yet borne out a concrete impact on rates or capacity. While some European markets have recently reduced their underwriting appetite, terrorism coverage has primarily broadened, with significant capacity and rates that remain relatively low.

As Business Insurance recently reported, the terror attacks in Paris and Brussels have prompted an increase in the take-up rate for event coverage to add to buyers’ terrorism insurance programs. Tim Davies, head of sabotage and terrorism at London specialty insurer Sompo Canopius, told the magazine that many buyers have been adding liability and event cancellation coverage, prompted by the continued relatively low rates. Despite the spike in attacks in Europe, Richard Sawyer, director and head of North American terrorism at Aon Risk Solutions, told AM Best last week that rates for terror coverage should remain relatively stable unless the frequency of attacks escalates.