Ostendio Blog

Who's to blame? Understanding cybersecurity responsibilities

Written by Ostendio | Nov 15, 2022 3:23:13 PM

[4 min read]

There are many legal and ethical responsibilities held by CISOs and executive teams,  but recently, individual data security responsibilities have been brought into the spotlight. Drizly, an online ordering and delivery platform for alcoholic drinks, settled a complaint with the FTC alleging that it ignored known security problems, resulting in a 2020 breach of 2.5 million consumers’ personal data. This recent settlement stood out because the complaint singled out the Drizly CEO, stating that he failed to delegate information security issues.

 

The settlement with the FTC requires Drizly and its CEO to implement an information security program that includes Multi-Factor Authentication (MFA). These simple steps may have saved Drizly and its customer base a significant amount of time, inconvenience, and money. By naming the CEO in the complaint the FTC has raised the bar for individuals within the corporate hierarchy and related liability in such a situation. The article continues, “The [FTC] statement is a signal that personal liability for executives could become a more frequent enforcement tool in data and security cases, says privacy lawyer Whitney Merrill.

What lessons can we learn from the Drizly case?

The FTC blog suggests that there are 5 main lessons to learn from this case:

  • Individual corporate officers may be liable in their individual capacities.

It’s a fact-based analysis, but in appropriate instances, the FTC may sue the corporation and corporate officers. And if the person under order has certain high-level responsibilities, compliance obligations may follow regardless of where he or she works in the future.

  • When you no longer have a business need to maintain consumer information, dispose of it securely.

Collect only what you need, keep it safe while it’s in your possession, and dispose of it securely when that business justification has passed. 

  • Learn the lessons of earlier security breaches. 

If your business experiences an incident – or when you hear about an incident at another company – convene a meeting of your Security “A Team” to consider changes your company should make.

  • Have a security team in place.

A key component of any corporate data security program is a qualified top-level person at the helm.

  • Train your staff about the dangers of reusing passwords.

The most effective training isn’t just a series of “don’ts.” Giving a to-the-point explanation of why practices like password reuse are harmful may encourage more care in your workforce.

With so much at stake, busy CISOs must work with their executive teams to operationalize security protocols across departments to better manage their cybersecurity strategies. Serious security professionals are moving away from old-fashioned methods of managing their data security programs. Spreadsheets and drop-boxes are complicated and unmanageable, often leading to errors or omissions. Traditional GRC tools often lack the breadth of features and don’t offer access to real-time data. Integrated Risk Management platforms, like Ostendio, provide the answer by extending an organization’s security across its supply chain to include partners, vendors, and auditors.

[Read more: Why the location of data is critical to data security and risk management]

Operationalizing security across the enterprise reduces the likelihood of a breach 

John Kadechka, Practice Director at Ostendio partner 360 Advanced, recently wrote about Cybersecurity Awareness and how for most companies, breaches are likely to happen. He adds that the key to limiting damage is responding quickly to breaches when they do occur. He also suggests organizations consider the cost of not having a robust data security program in place.  “Quantify the impacts of losing trust. Then relook at your business priorities. Ensure that adopting appropriate cybersecurity measures is at the top of that list.”

And the data shows that breaches are becoming more likely to happen. A recent cybersecurity report showed that ransomware attacks alone have increased by 13% from 2021 to 2022. And data breaches are not limited to one particular industry. Statistica states that “in 2021, the three industry sectors where most data breaches were recorded were healthcare, financial services, and manufacturing. In the United States, the number of healthcare data breaches has increased gradually within the past few years. In the financial sector, the number of data compromises has increased almost twice between 2020 and 2021, while manufacturing saw data compromises triple.”

How to build a cybersecurity strategy

Ostendio partner BlueSteel Cyber recently reviewed how to get started with your cybersecurity strategy. In the article, BlueSteel Cyber suggests that clients determine their threat landscape and understand the type of threats facing their company and industry. Once you analyze the specific risks and potential threat levels, organizations must create a strategy to prevent future incidents. BlueSteel Cyber suggests that you follow these steps to get started:

  1. Understand your threat landscape
  2. Gauge your current cybersecurity strength
  3. Determine how to improve your cybersecurity
  4. Document your cybersecurity strategy.

As Drizly discovered, ignoring security issues is not a strategy. Companies of all sizes and all industries need to assess their risk and build an appropriate cybersecurity strategy. With the average global cost of a data breach reaching $4.5 million dollars, CISOs and boards of directors need to sit up and take note of their responsibilities. 

Ostendio experts are ready to speak to you about your cybersecurity needs. Learn how the Ostendio platform can fit your business needs in a demo that is tailored specifically to your company. Schedule a time today to speak to an Ostendio expert.