The urgency of treating cybersecurity as a business decision has never been greater. Now the companies have the understanding and tools to implement it. According to EU law when a company fails to comply with the data protection rules infringement the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover (What if my company/organisation fails to comply with the data protection rules?, 2020).
For some companies, protecting sensitive customer data and company information has proven to be problematic. Therefore, companies in all industries must be alert to security breaches.
Breach of cybersecurity could have a substantial financial impact on companies also damages to the reputation. Equifax, the credit scoring agency has agreed to reach a global settlement agreement of up to US$700 million (£561 million) with the Federal Trade Commission, for the failure to take reasonable measures to protect its network security, which led to a data breach in 2017 (Federal Trade Commission, 2019).
Equifax management discovered that the system had a data breach on July 29, 2017, affecting approximately 145.5 million Americans, 700,000 British residents and 8,000 Canadian citizens. The company disclosed the vulnerability to the public on September 7, 2017. The company stated in its disclosure that the vulnerability caused by a hacker who exploited its software vulnerability. Public disclosure caused the stock price to plummet by 34.85% on September 15, 2017 (Rasalam and Elson, 2019).
Equifax CEO stepped down and made very clear that the hack was a fundamental reason for doing so. The final U.S. House of Representatives subcommittee report indicated “Equifax Failed to Prioritize Cybersecurity” (Portman and Carper, 2020).
Cybersecurity has been on boards’ agendas for almost ten years, the headlines keep coming, and it remains a well-invested area in many companies with much attention. There remain broad challenges to the effectiveness of cybersecurity as it is implemented across enterprises globally.
The societal perception of cybersecurity is that it is a technical problem, best handled by technical people, and this leads to low engagement with executives, ineffective communication and unrealistic expectations. Ultimately, it will lead to wrong decisions and wrong cybersecurity investments. Who has the ultimate responsibility for the breach of cybersecurity?
References:
European Commission - European Commission. 2020. What If My Company/Organisation Fails To Comply With The Data Protection Rules?. [online] Available at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/sanctions/what-if-my-company-organisation-fails-comply-data-protection-rules_en [Accessed 28 September 2020].
Federal Trade Commission, 2019. Equifax To Pay $575 Million As Part Of Settlement With FTC, CFPB, And States Related To 2017 Data Breach. [online] Available at: https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related [Accessed 27 September 2020].
Rasalam, J. and Elson, R., 2019. Global Journal Of Business Pedagogy. [ebook] pp.8-12. Available at: https://www.igbr.org/wp-content/uploads/articles/GJBP_Vol_3_No_3_2019-pgs-8-15.pdf [Accessed 27 September 2020].
Portman, R. and Carper, T., 2020. PERMANENT SUBCOMMITTEE ON INVESTIGATIONS. [online] Committee on Homeland Security and Governmental Affairs, p.2. Available at: https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf [Accessed 27 September 2020].
376 words
10 replies
Post by Shoumik Chakraborty
Peer Response - Who is responsible for CyberSecurity
Peer Response - Who is responsible for Cybersecurity.
The social stigmatization of cybersecurity as a technical issue leads to the gap between business, management and cybersecurity professionals.
Business Driven Risk Management (BDRM) and Integrated Risk Management (IRM) frameworks are the solutions to minimize the gap between the business and technical teams while enhancing security performance.
BDRM drives the risk assessment approach based on business criticality. The process starts with the identification of critical business and assets, followed by risk assessment. The framework transforms the security challenges in terms of business need and findings while creating a bridge between the technical and operations team (Fito & Guitart, 2010).
IRM framework assures the identification of key risk factors and addresses the risks in an integrated manner while reducing redundancy. The business objective scoping in collaboration with business stakeholders followed by risk assessment and treatment shares responsibility between technical and business team (Delloitte, 2016).
References
Delloitte. (2016) Integrated Risk Management Delivering improved outcomes. Available from: https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/consultancy/deloitte-uk-integrated-risk-management%20.pdf [Accessed 28 September 2020]
Fito, J. & Guitart, J. (2010) 'Introducing Risk Management into CloudComputing', Proceedings of the 6th International Conference on Network and Service Management. Canada, October 25-29 2010. Barcelona: Barcelona Supercomputing Center and Technical University of Catalonia.
211 words
Reply
Post by Marzio Hruschka
Peer Response - Who is responsible for Cyber Security?
Hi Shiraj,
I fully agree with the points you have raised. Another aspect to think about is how key decision-makers and budget holders are perceiving cyber security. This may impact the engagement with executives and thus play into the off-loading of responsibility.
Especially in the FinTech industry, cyber security plays a crucial role in not only preventing attacks and thus minimising potential economic losses, but also to build necessary trust with the customer base. A study conducted by Microsoft and Frost & Sullivan in the APAC region (2018) revealed that most participants think of cyber security solely as a mean to safeguard an organisation against malicious actors. Only a minority of respondents (20%) see a strategic aspect for cyber security that may benefit business and can enable a digital transformation (Microsoft Asia News Center, 2018).
Malaysia, over recent years, has seen a stark increase of e-wallet providers with big players such as Grab, a ride-hailing service, and Alipay getting involved. However, according to a Banking Consumer Study VMWare has conducted in 2018, close to 46 per cent of Malaysian consumers remain sceptical on using such services. In contrast, “the study also found that 70 per cent of Malaysian consumers prefer traditional payment methods indicating that they trust online interbank transfers, ATMs or cash” (New Straits Times, 2018).
Cyber security can be utilised as a competitive advantage and a feature rather than solely be seen as a cost-prevention investment. When viewing it as an enabler for user acquisition and as a revenue driver, decision-makers might be more inclined to pay attention.
References
Microsoft Asia News Center (2018) Cybersecurity threats to cost organizations in Asia Pacific US$1.75 trillion in economic losses. Available from: https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75-trillion-in-economic-losses/ [Accessed 30 September 2020].
New Straits Times (2018) 46 pct of Malaysians insecure about online banking security: study. Available from: https://www.nst.com.my/news/nation/2018/11/433159/46-pct-malaysians-insecure-about-online-banking-security-study [Accessed 30 September 2020].
325 words
Reply
Post by Shiraj Ali
Peer Response - Who is responsible for CyberSecurity
Hi Marzio/Shoumik,
It is reassuring to see all the studies are in agreement. The purpose of the cybersecurity program is not to protect the organisation because this is an impossible goal. The purpose of cybersecurity procedures is to strike a balance between protection needs and operating business. What should we do if we cannot fully protect the organisation? Ready for network security is an option. Create appropriate, reasonable, consistent and effective controls that are credible and defensible with key stakeholders (shareholders, regulators, and customers) to ensure that you spend the right amount of money on the right things in safety.
101 words
Reply
Post by Andreas Riedler
Peer Response - Who is responsible for Cyber Security?
To benefit from the digital economy, it is mandatory for nations, to provide a trustworthy technical environment and network infrastructure. A possible way to improve trust and confidence in the digital infrastructure is the implementation of National Cyber Security Strategy’s (NCSS). Most NCSSs focus on critical infrastructure protection, cybercrime protection, cybersecurity professional development, cybersecurity public awareness, research and development and international collaborations. (Teoh and Mahmood, 2017)
The question is if cybersecurity is only the responsibility of companies. In a digital economy, cybersecurity is a responsibility of all stakeholders from the government, the private sector and the individuals. The governments have to issue laws and regulations for cybersecurity. They have to audit and control if private companies meet these cybersecurity laws and regulations. The main goal of governments is to ensure trust in secure cyberspace to enhance research and development for a digital market. The private companies have to ensure their security measures are sufficient and in alignment with laws and regulations. Their main concern is financial (through fines and business loss) and reputational loss. For individuals, also data and financial losses are the primary concerns. Individuals are responsible for keeping their devices up to date with the newest patches/releases. They must be aware of cybersecurity issues and must claim their right to secure products.
Since cybersecurity is not only a concern for governments and companies but also for individuals, it is crucial to foster cybersecurity education to get competent individuals in cybersecurity.
243 words
Reply
Post by Arun Thomas
Peer Response - Who is responsible for Cybersecurity
The post investigates the impacts of cybersecurity breaches, including the economic and reputational losses, and the compensations made by companies if they fail to comply with the data protection rules.
The information on the European Union GDPR law is acceptable, including a warning, temporary or definitive ban on processing, and a fine up to €20 million or 4% of its total annual worldwide turnover. According to the European Union's General Data Protection Regulation law, the DPA might charge a fine instead of, or in addition to the ban on processing.
The fact is that not some companies, but all the sectors now use some digitalization on their work culture, making them prone to cyberattacks. Every company faces challenges in protecting their customer data and business information.
Companies that profit from personal information like Equifax, a credit reporting company, have an extra responsibility to protect and secure data. Equifax has failed to take the necessary steps to ensure its network and faced a data breach issue in 2017 that affected approximately 147 million people. It forced the company to pay at least $575 million and potentially up to $700 million as a settlement with the Federal Trade Commissions.
Review Summary:
The author's research on the Equifax data breach issue and EU law were appropriate. But the information about Equifax could have been reduced and included information on why cybersecurity is now a global issue. The information on the consequences of not complying with data protection regulation was accurate, but the author could have improved the article's language and readability.
0 words
Reply
Reply to Arun Thomas from Shiraj Ali
Re: Peer Response - Who is responsible for Cybersecurity
Hi Arun
Thanks for the review summary. I do agree with you that Equifax has extra responsibility and it was entirely preventable. As this breach affected millions of users across the globe, mainly it was the US.
The irony is that because people pay enough attention to their credit scores, they pay to Equifax to see their credit file, as they know stolen credit file can lead to fraud and damage their credit scores. However, something strange happened. After this violation, the country inevitably to see a wave of identity theft and fraud: it never happened, as haven't found any report of fraud or identity theft cases that can trace back to this incident.
113 words
Reply
Post by Christopher Debiccari
Peer Response
The optics of Cyber Security is extremely murky at a lot of companies. When the penalties for not disclosing a breach of data are perceived as less serious than the potential losses from lowered revenue and public opinion, it’s no surprise that they are willing to take chances with trying to hide it from their customers. But people want to know when their data has been leaked. A survey taken by the USENIX Association found that participants had strong expectations of being informed of such leaks (Karunakaran et al, 2018). In addition, transparency about Cyber Securities from companies is vital for keeping personal data secure. Privacy and transparency support each other, improving each other’s protection (Maneggia, 2019). The likelihood of concealing a large scale hack in an age of rapidly expanding access for whistleblowers to reveal such breaches anonymously online is shrinking. Combining this with increasing fines from regulations for not disclosing data breaches means that companies are more likely to be forthright about breaches of their systems.
References:
Karunakaran, S., Thomas, K., Bursztein, E., Comanescu, O. (2018) Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data. Available from: https://www.usenix.org/system/files/conference/soups2018/soups2018-karunakaran.pdf [Accessed 4 October 2020].
Maneggia, A., Carloni, E., Paoletti, D. (2019) ‘Transparency and Privacy as Human Rights’, in Carloni, E., Paoletti, D. (eds) Preventing Corruption Through Administrative Measures. 335-349.
230 words
Reply
Reply to Christopher Debiccari from Shiraj Ali
Parent of this post
Re: Peer Response
Hi Christopher
Thank you for your contribution. With a wealth of information available, it may be difficult for many companies to know where to start when taking steps to reduce the risk of being a victim of a cyber attack. For large and small enterprises, it is essential to be able to identify network security risks and effectively manage threats to information systems.
Business managers, including executives and directors, must realise that cyber risk management is an ongoing process, and there is no final solution. However, network security can improve through a risk management process that places great emphasis on management. Leadership is essential when taking action and ensuring that information security best practices can continue to develop within the organisation (Cybersecurity - ICC - International Chamber of Commerce, 2020).
Reference:
ICC - International Chamber of Commerce. 2020. Cybersecurity - ICC - International Chamber Of Commerce. [online] Available at: [Accessed 6 October 2020].
147 words
Reply
Post by Shiraj Ali
Initial post updated online references web link
References:
European Commission - European Commission. 2020. What If My Company/Organisation Fails To Comply With The Data Protection Rules?. [online] Available at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/sanctions/what-if-my-company-organisation-fails-comply-data-protection-rules_en [Accessed 28 September 2020].
Federal Trade Commission, 2019. Equifax To Pay $575 Million As Part Of Settlement With FTC, CFPB, And States Related To 2017 Data Breach. [online] Available at: https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related [Accessed 27 September 2020].
Rasalam, J. and Elson, R., 2019. Global Journal Of Business Pedagogy. [ebook] pp.8-12. Available at: https://www.igbr.org/wp-content/uploads/articles/GJBP_Vol_3_No_3_2019-pgs-8-15.pdf [Accessed 27 September 2020].
Portman, R. and Carper, T., 2020. PERMANENT SUBCOMMITTEE ON INVESTIGATIONS. [online] Committee on Homeland Security and Governmental Affairs, p.2. Available at: https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf [Accessed 27 September 2020].
151 words
Reply
Post by Shiraj Ali
Summary Post - Who is responsible for Cyber Security?
Based on the initial post and the peer’s feedback, the summary as follows.
Everyone agrees that cybersecurity is a global issue. The key discussion point is, what impact a company can have when the cybersecurity not given the importance, and who is accountable for any cybersecurity breach.
The example of a cybersecurity breach of a global company Equifax (an international credit report management company). We identify that there is a legal implication, also financial and reputational impact.
The legal and financial impact was the agency received a fine and has agreed to settle an agreement of up to US$700 million (£561 million) with the Federal Trade Commission, for failing to take reasonable measures to protect its network security, which led to a data breach in 2017.
The reputational impact for the company was that the Equifax CEO stepped down and clarified that the hack was a fundamental reason. The final U.S. House of Representatives subcommittee report showed “Equifax Failed to Prioritise Cybersecurity” (Portman and Carper, 2020).
Also, we identified that the purpose of the cybersecurity program is not to protect the organisation because this is an impossible goal. The purpose of cybersecurity procedures is to balance protection needs and operating business.
A summary of several contributors to this post. Chakraborty (2020) The business objective scoping in collaboration with business stakeholders followed by risk assessment and treatment shares responsibility between technical and business team.
Hruschka (2020) Cybersecurity solely as a mean to safeguard an organisation against malicious actors.
Riedler (2020) Cybersecurity is not only a concern for governments and companies but also individuals, and it is crucial to foster cybersecurity education to get competent individuals in cybersecurity.
Thomas (2020) All the sectors now use some digitalisation on their work culture, making them prone to cyberattacks. Every company faces challenges in protecting their customer data and business information.
Debiccari (2020) Transparency about Cyber Securities from companies is vital for keeping personal data secure. Privacy and transparency support each other, improving each other’s protection.
References:
Portman, R. and Carper, T., 2020. PERMANENT SUBCOMMITTEE ON INVESTIGATIONS. [online] Committee on Homeland Security and Governmental Affairs, p.2. Available at: https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf [Accessed 27 September 2020].
Chakraborty, S (2020) Initial Post - Who is responsible for Cyber Security?. Available from: https://www.my-course.co.uk/mod/hsuforum/discuss.php?d=225339 [Accessed 11 October 2020]
Hruschka, M. (2020) Initial Post Who is responsible for CyberSecurity. Available from: https://www.my-course.co.uk/mod/hsuforum/discuss.php?d=225339 [Accessed 12 October 2020]
Riedler, A. (2020) Initial Post Who is responsible for CyberSecurity. Available from: https://www.my-course.co.uk/mod/hsuforum/discuss.php?d=225339 [Accessed 12 October 2020]
Thomas, A. (2020) Initial Post Who is responsible for CyberSecurity. Available from: https://www.my-course.co.uk/mod/hsuforum/discuss.php?d=225339 [Accessed 12 October 2020]
Debiccari, C (2020) Initial Post Who is responsible for CyberSecurity. Available from: https://www.my-course.co.uk/mod/hsuforum/discuss.php?d=225339 [Accessed 12 October 2020]
508 words