Human Error: Harsher Penalties Affecting Cybersecurity ROI
Corporations failing to exercise due diligence and protect sensitive data are now seeing harsher penalties from government bodies and oversight committees. From the SEC to the FTC, governments agencies are issuing stricter penalties to organizations that fail to secure critical information, intellectual property and customer data via established processes, cybersecurity technology and trained employees.
Security is a ‘people problem’
The majority of data breaches are caused by humans — either from indifference, malicious behavior, deceit or lack of understanding. It’s an understood reality. From insider threats and poor corporate policies to careless employees and substandard accountability, each is a real-world factor that goes far beyond security infrastructure and technology.
Organizations that understand the balance between people, processes and technology will achieve the best return on investment (ROI), making it possible to allocate the necessary budgets, resources and commitments to implement sound cybersecurity controls and avoid strict government and industry penalties.
True cybersecurity is realized by achieving a harmonious strategy between people, process and technology. This is a challenge for even the most well-intentioned global organizations, signifying that most security teams and systems — and the leadership that oversees them — remain stymied in legacy processes and attitudes.
By building a strong cybersecurity culture — through training, policy and repetition — organizations can absolutely evolve to new security standards. Do that well and the security technologies and services they procure and implement work better. Take the human element out of the equation? The best products you can buy won’t help.
The tipping point
While recent settlements act as financial punishments, the government’s actions serve as a warning to other large organizations and enterprises, which absolutely need to be more proactive and committed to protecting customer data. Coupled with brand damage, sales impact and loss of trust, the cost of not doing anything and “just paying the fine” is reaching the tipping point. Eventually, penalties and brand damage will be so severe that organizations will be forced to evolve.
For example, the FTC’s recent case against Wyndham Hotels is particularly interesting. The hotel giant was slapped with a 20-year penalty that outlined a number of requirements, including the establishment of an advanced cybersecurity program, annual security audits and a 10-day requirement to notify the FTC of breaches that affect more than 10,000 payment card accounts.
Notable Government Cybersecurity Penalties
- December 2015: Wyndham Hotels and Resorts Agreed to Settle FTC Charges
- September 2015: R.T. Jones Capital Equities Management Fined by SEC
- July 2015: Citigroup Business Unit LavaFlow Pays SEC $5 Million Penalty
This is noteworthy not because of the penalty, but that the consequences were in addition to any ramifications the Payment Card Industry (PCI) Security Standards Council issued. The FTC believes there are a number of concerns with the PCI process, notably inconsistencies in audit practices, different interpretations of rules, conflicts of interest, payment card brand influence, etc. And PCI is widely regarded as the most complete framework available.
The FTC case study is further evidence of organizations not properly allocating cybersecurity spend and complimenting those commitments with proven policy, stronger culture and committed leadership.
Recent six-figure penalties were the result of malicious insider threats and improper handling of sensitive data by a handful of employees. What will be the ramifications for large-scale data breaches in the future?
That’s the message the oversight agencies hope to deliver. They’re banking on it moving most organizations past that tipping point toward a more dedicated commitment to sound cybersecurity — one that properly aligns people, process and technology.