Don’t let a data breach destroy you – a history lesson

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123458463/dont-let-data-breach-destroy-you-history-lesson

When a company confirms that it has been the victim of a data breach, the
latest case being Home Depot, the cost of this disclosure could be best
described with a simple phrase: Carthage must be destroyed.

That is, of course, if history is any indicator. To use the above example,
prior to the outbreak of the Third Punic War, hawkish elements of the Roman
Republic began to popularise the phrase Carthago Delenda Est – Carthage
must be destroyed. The phrase was a response to the rise of the city’s
military power in the region and advocated a complete destruction of Rome's
geopolitical rival in order to preserve its dominion over the
Mediterranean.

Much like Rome called for the total destruction of Carthage in the face of
war, so too have company powers adopted a 'total destruction' attitude
towards the senior leadership managing companies, even at the board level,
that have suffered critically-damaging cyber attacks and data breaches.

The CEO under fire

The job of a public company’s CEO is generally guided by one principle: to
improve the equity value of the company. As the captain of the ship, the
CEO is typically the most visible and responsible when it comes to guiding
the course of a publicly traded company through the murky waters of
business towards greater per share value for investors holding its shares.

Typically, this means that most public market CEOs have been too focused on
high level strategy to spend time on operational facets of the business,
like security. Such operations are left to other staff including other
executives like the CSO (Chief Security Officer) and, further down the
line, practitioners like incident responders and systems administrators.

In the past, this has also meant that CEOs and other high-level executives
were rarely held accountable when it came to security issues. Even glaring
security vulnerabilities or critical cyberattacks were seen purely as
tactical and operational issues. A CEO might be tasked with overseeing some
kind of inquisition to see out those from the company who 'allowed' that
attack to occur. But CEOs themselves were never the ones whose jobs were
hanging on the precipice for the attack or its consequences.

That all changed with Target. After Target was the subject of a massive,
well-coordinated data breach by cybercriminals, shares in the company
plummeted over 10% in the months following the public acknowledgement of
the breach – constituting a loss in over $6B in equity value to the
company’s shareholders.

The damages extended into other parts of the company’s balance sheet.
According to the earnings report in February 2014, the company attributed a
drop of over 5.5% in sales transactions during the critical holiday season
to concerns from the breach. It was the largest loss in sales transactions
since the company began reporting that statistic in 2008. While the final
bill has yet to be tallied in the breach, it’s expected that it will run
well into the billions.

With such huge, strategic losses to the company and its equity, the
unthinkable happened: Target’s CEO resigned. A 35-year veteran of the
company, Gregg Steinhafel stepped down along with the company’s CIO, Beth
Jacobs. Steinhafel’s departure from the company was the first time the CEO
of Fortune 500 company was ousted due to the damages of a cyberattack.

Heads will roll

History seems to be repeating itself. In the last few days since this
writing, Home Depot has admitted that it is investigating a potentially
massive data breach that bears a striking resemblance to the one that hit
Target just nine months prior. In response, the company’s stock has
plummeted over 3% in less than a full day of trading, constituting a
startling loss of over $5B in equity value.

It’s too early to fully know what this new data breach will cost Home
Depot. But if Target is any indication of what may happen, Home Depot could
see a similar 'battle of the titans' power struggle in the board room as
the company’s shares burn around it, like lava around Pompeii.

Steinhafel’s departure is a good example of how a CEO gets forced out due
to a hacking attack. As news of the data breach began to impact key
strategic indicators – statistics reported to investors – the company’s
stock began to wither.

This withering elevated the data breach’s responsibility beyond the
confines of the IT department and to the boardroom.

The response to this was a clarion call to summon one of the public
market’s most powerful and feared forces: the activist investor group.
Institutional Shareholder Services (or ISS), a major proxy advisory firm
that serves the interests of major hedge funds and other public market
investors, recommended that seven members of Target’s board be removed in
response to 'failing to protect the company' from the data breach.

ISS’ pressure certainly pushed Steinhafel out, but ultimately it was the
reputational risk to the company’s brand that delivered the coup de grace.
As time progressed and details about Target’s security practices came out,
the long-term impact of the attack degraded core metrics like sales
velocity and profit. Many consumers lost faith in Target’s ability to
safely conduct their transactions, and irreparable damage was done to the
company’s reputation and brand.

With strategic damages so great, somebody had to fall. George Steinhafel
and CIO Beth Jacob were necessary sacrifices to appease the investment
community. Their departure helped to preserve many of the other 5 board
members ISS also recommended to be sacked, as proved by a reinstatement of
most of the Target board during the company’s Annual Investor’s Meeting in
June.

It’s far too early to know what will happen with Home Depot’s executives.
But one fact remains clear: the damages due to data breaches and other
major cyber attacks are no longer simply the concern of the IT department.
The reputational risk and impact on strategic metrics due to security
events like the ones that struck Home Depot and Target are enough to bring
down the heads of Fortune 500 companies. So, let history serve as a lesson
here.  C-level and board execs need to concern themselves with cyber
security. After all, customers are the lifeblood of any organisation,
dissolve their trust and your job could be next for the chopping block.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!