Data breaches have a long-lasting impact

Blog

Subscribe to Email Updates

We promise to send you awesome stuff you'll want to read more than once.

Do you remember that infamous Equifax breach? The one where hackers stole the personal information of 147.7 million US citizens? We wrote a blog post about the incident a few years back.

Whether or not you remember the case, the first thing you should notice that the case is still relevant – almost two years after it was discovered. One of the reasons is that US authorities have taken a stricter approach to data breaches, and now that GDPR has been in force in Europe for over a year, the consequences of a data breach reach beyond the initial public outcry, temporary  dip in the stock price and perhaps a couple of IT guys being fired.  

Let’s have a look at the Equifax case along with a couple of others by going through some questions organizations should be asking themselves.

1. Harsh fines or risk mitigation?

Authorities on both sides of the pond are handing out fines that have a serious impact on the bottom line of the companies. One recent example is Equifax, which is reportedly facing a hefty fine of $700M for the lack of proper security measures. It has also become apparent that one of the reasons this hack was so successful was that the hackers got ahold of stolen credentials which allowed them to move laterally inside the network and gain access to valuable data. Read more about what this means here.

Another example is British Airways who is likely to be fined £183m for their “poor security arrangements”. Although the proposed figure might still change if and when BA appeals the case, as the fine currently stands, it amounts to 10% of expected net profits of the company.

It also looks like the trend is up, since “Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled from last year — from 7% in 2018 to 13% in 2019”, as stated by Security Boulevard.


2. Legal action or even more legal action?

National authorities and regulators are not the only ones who demand justice in breach cases. Companies can also face legal action from local authorities in addition to the fines imposed by governmental regulators, as quoted in this article.

“Equifax has agreed to pay at least $1.4 billion to settle multidistrict litigation brought on behalf of 147 million U.S. consumers and pay millions more to resolve civil complaints brought by the federal government and multiple state attorneys general over its massive 2017 data breach.”

These are not the type of figures you want to be presenting to your shareholders, investors or the general public. Besides, private citizens are becoming more aware of how valuable personal data has become and how important it is for organizations to govern and monitor how it is handled. For example, GDPR allows EU citizens to seek compensation for damages.

3. Doing productive work or spending time on litigating?

All the time the company is under all kinds of scrutiny, it diverts attention and resources from what these companies really should be doing – running their daily operations and concentrating on serving their customers. Instead, they’ve been litigating, settling, hiring lawyers, spending internal time and resources on matters that could have perhaps been avoided by paying a bit more attention to their cybersecurity strategy.


4. Is it a board level topic before or after the risk has materialized?

We believe companies should not leave cybersecurity only at the hands of the IT or even the cyber security teams. Proper cyber hygiene should be a board level topic. The consequences of ignoring these topics always are.

How can we help

We have more than 25 years of experience in the field of cybersecurity, access control and securing data-in-transit. We can help you:

  • get rid of ungoverned access methods that might exist inside your organization
  • mitigate the risk of lateral movement inside your network where one set of credentials is used to hop between servers (one method of hacking)
  • get rid of permanent access credentials altogether and replace them with Zero Trust and just-in-time authentication methods that minimize the risk of privileged credential abuse

Joe Scaff, CEO, Chief Sales Officer

P.S. I highly recommend the ISACA guide on Secure Shell governance and the KuppingerCole Executive view on our product, PrivX®.

Ephemeral_CTA

AuthorJoe Scaff

Joe Scaff has over 15 years of experience in information security technology and network communications industry. Joe has held various management roles at SSH Communication Security including Technical Sales, Technical support, Professional services. He has a strong technical and managerial background that allows him to deliver strategic solutions to Fortune 500 customers. He is responsible for all US business operations including America's sales and global customer services.

Want to be the first to know about new blog posts?

Fill in you email address and be the first to know about it. 

Subscribe to Email Updates

SSH.COM is one of the most trusted brands in cyber security.

We help major enterprises solve the security challenges of digital transformation. We design best-of-breed commercial solutions for secure access that help our customers win in the global data economy.

Read more about our SSH.COM

Latest posts from the SSH.COM blog