Is the CEO to blame for a cyber security breach?
How about the CTO? Who is truly accountable for a cyber security breach and how should a business be punished for losing their customers data?
“Who is to blame?” has become a common question following high-profile breaches or losses of customer data, for example after the TalkTalk breach of last October.
Generally speaking, a cyber security breach is caused by a series of failings and/or a very determined attacker, but the media and the affected persons need to point the finger at someone and that someone is usually a high-ranking decision maker.
With TalkTalk the burden of blame fell on Dido Harding, TalkTalk’s CEO. She was grilled by government officials, police investigators and the public alike, but was she, and is any CEO, really to blame?
Mark James, ESET IT Security Specialist, thinks that they should be accountable at the very least but adds a caveat that they should be accountable for any company failing, not just a cyber security breach.
“Certainly CEO’s should be accountable but only to the degree they would be accountable for any other failing within the organisation.
Ultimately they have the power to make decisions on where spending and expertise is placed to protect the company as a whole and keeping our data safe should be a major concern if they are entrusted by us to do so.
The question should be “have they taken enough preventative measures” not who’s to blame.
Finding out what went wrong, how it can be stopped in future and finding ways to better protect us, the users, are the key points that need addressing. Making sure the people that are affected most have all the information in a timely manner to enable them to mitigate any further damage and then decide if they want to continue that trusted relationship that may be so badly damaged.
The CEO should be the figure who stands up and explains what went wrong, how they found out, what they are doing about it and what you can do if you’re concerned.
As for penalties the only plausible option to have any serious effect is scalable fines: if you’re being fined less than the cost of upgrading your infrastructure, where’s the deterrent?”
Taking all available and realistic precautions to prevent a cyber security breach is the most sensible form of action. If you’d like to find out how to protect your business, please contact our cyber security team via email at firstname.lastname@example.org or by phone on 01392 207194.