Hefty fines can act as a deterrent to organisational complacency on cyber-security, Chartered Institute of Information Security CEO Amanda Finch told SC Media UK.
Her observations came as the US Federal Deposit Insurance Corporation prepares to impose fines on financial institutions for breaches of their customer data, after sensitive information on more than 100 million customers of Capital One was exposed.
The UK Information Commissioner’s Office (ICO) has sent a precedent by heavily penalising British Airways and Marriott Hotels last month for violating the European Union’s General Data Protection Regulation (GDPR).
Shortly afterwards, the US Federal Trade Commission imposed an unprecedented US$ 5 billion (£4 billion) fine on Facebook over how the company lost control of massive amounts of personal data.
A survey by Tripwire on Twitter has said that 42 percent of the company’s Twitter followers believe the fines enforced on Marriott and British Airways were too little.
"Historically, these fines were capped at a fairly low level, which meant there was no real incentive for businesses to take action, causing complacency. Fines need to be high enough in order to be meaningful, and therefore a significant enough risk for organisations to actually take notice," Finch said.
"The new fines implemented by the ICO do this, and will help in deterring organisational complacence. After all, if the fines outweigh the costs of improving security and hiring new people, the more cost-effective option should be clear," she explained.
IT business leaders in Britain prefer to brush data breaches under the carpet, SC Media UK reported in May.
A survey by CyberArk published last month found that 31 percent of organisations would prefer to pay fines for non-compliance with major regulations, rather than fix lax security policies - even after experiencing a cyber-attack. This view seems to be strong in the UK, with 43 percent of organisations believing that attackers can infiltrate their networks each time they try.
This approach is far from desirable, said Finch.
"Companies should be doing their utmost to stay secure at all times. Who is to say that a data breach would be a ‘one-off’? If everyone has this attitude, data breaches will keep happening, the fines will keep rolling in, and the business will suffer the consequences," she said.
The responsibility for a data breach cannot be fixed on one individual or team, she noted.
"In the first instance, the Data Protection Officer and CISO should be in charge of spearheading the issue by effectively communicating the risks and potential damage to the C-Suite. The C-Suite should then take on the responsibility by managing the risks accordingly, in the same way they would take on other operational risks that could have a reputational, legal or even financial impact on the company," she said.
A survey of cyber-security professionals in the financial services industry (FSI) by Synopsys Cybersecurity Research Center (CyRC) and Ponemon Institute noted that the majority of respondents felt their organisations are much more effective in detecting and containing cyber-attacks than in preventing those attacks.
"With a stronger focus on security, especially on injecting security earlier into the software development life cycle, FSI organisations will have a better chance of preventing attacks rather than dealing with the consequences and costs of those attacks," the report said.
Help can be sourced from several resources, said Finch.
"There are a huge number of people with relevant skills who are perfectly suited to security roles, but aren’t necessarily aware that they would fit the career. By identifying these people and providing them with the right training, organisations can make certain they have the right skills needed to stay protected against breaches – ensuring the fines are kept at bay," she added.