The roster of major companies that have been hacked and had millions of dollars worth of valuable data stolen has grown extensive enough that it no longer makes the news when another routine attack happens. It takes an extraordinary breach, of the sort that occurred at Equifax, a national credit reporting bureau, in 2017, exposing the valuable financial records of more than 143 million American citizens, to get the media off the couch today.

The situation becomes even more dire when you realize that many corporations do not disclose hacking incidents, and thousands of breaches occur that are never publicly revealed. Only those that lose customer or consumer records, like Equifax, have an obligation to reveal the incidents.

The situation has all the hallmarks of an epidemic of failed cybersecurity efforts. Worse, the failures are often in the most basic of security measures. In the Equifax case, a web server at the company had not been patched for a known vulnerability, even though the fix had been available for two months. Elementary steps to protect and preserve corporate data are routinely ignored at many major corporations and even within the American government. The September 2016 hack of the Securities and Exchange Commission that allowed hackers to use proprietary information to make illicit stock market trades is only the latest in a long list of damaging breaches.

The relative ease with which these attacks could be prevented, and the failure to do so, has left a lot of cyber security professionals scratching their heads. The knowledge is available, and the expertise is on tap to fix the problem. Why do the attacks continue to be so successful?

Much of the responsibility belongs at the top of the hierarchy of each of the organizations. In the Equifax case, the CIO (chief information officer) and CSO (chief security officer) each lost their job in the wake of the hacking revelation. However, it’s notable that it was the public disclosure of the incident that triggered the firings, not the breach itself, which occurred five months earlier. The firings were more of a public relations effort than a concerted attempt at holding anyone responsible for the failures.

CEO (chief executive officer) Rick Smith stepped down on September 26. Like the other executives, he did so while fully vesting his outstanding stock options to the tune of more than $90 million. It’s not hard to see why executives don’t take security seriously if a golden parachute is the worst possible outcome.

It can be argued, of course, that such lofty executive roles have little direct responsibility for the day-to-day execution of cybersecurity functions. No corporation expects the CSO to be out applying security patches personally to vulnerable servers.

security regulations blog CP Cyber Security Technology Denver Colorado

But any grunt system administrator or security analyst knows that it’s impossible to execute good security strategy without strong support from the upper echelons of corporate management. There are myriad decisions made at the executive level that affect the ability of security operatives to secure internal systems properly. These range from placing priorities appropriately in the inevitable points of friction between security and functionality, to driving accountability at the middle management level, to properly funding security initiatives.

These are difficult decisions, and balance is necessary for any organization without access to unlimited funding. There will be times when, in retrospect, the chosen balance is inappropriate or ineffective.

But it’s hard to imagine a scenario in which applying vital security patches on time is a necessary sacrifice. Instead, it simply appears to be a (potentially criminal) level of neglect at fulfilling the basic fiduciary responsibility.

Hiring more cybersecurity professionals will not correct this state of affairs. No resource is useful if it remains unused, and as long as business and government executives fail to consult or take the advice of their cybersecurity teams, massive breaches will continue to feature regularly on the evening news.

More About CP Cyber

CP Cyber is a full service cyber security consulting firm helping our clients uncover risks and build top of the line defenses to prevent cyber crimes.  To find out more about us visit our homepage here: https://cpcyber.com/ or follow our Colorado Cyber Security Google Page.