How to Get C-suite Support for Insider Threat Prevention
Blog Article Published: 04/06/2016
By Susan Richardson, Manager/Content Strategy, Code42 If you’re not getting support and adequate funding from the C-suite to address insider threats, a recent report highlights a powerful persuasive tool you may have overlooked: money—as in fines (cha-ching), lawsuits (cha-ching) and credit monitoring services (cha-ching) you’ll have to pay as the result of a data breach. The IDC report, “Endpoint Data Protection for Extensible DLP Strategies,” cites two health-care groups that paid six figures each in fines for data breaches as a result of improper employee behaviors. Here are even more powerful examples of the price your organization could pay for not addressing insider data security threats: Target insider breach costs could reach $1 billion Target may have skirted an SEC fine, but the retailer is still paying a hefty price because cyber thieves were able to access customer credit card data via a subcontractor’s systems. Breach costs included $10 million to settle a class action lawsuit, $39 million to financial institutions that had to reimburse customers who lost money, and $67 million to Visa for charges it incurred reissuing compromised cards. For 2014, Target had $191 million in breach costs on its books; estimated totals could reach $1 billion after everything shakes out. AT&T fined $25 million for employee breach In 2015, AT&T paid a $25 million fine to the Federal Communications Commission after three call center employees sold information about 68,000 customers to a third party. The cyber thieves used the information to unlock customers’ AT&T phones. On top of the fine, AT&T was required to do things it should have done in the first place:
- Appoint a senior compliance manager who is a certified privacy professional.
- Conduct a privacy risk assessment.
- Implement an information security program.
- Create a compliance manual and regularly train employees.
- File regular compliance reports with the FCC.
- Provide mandatory security awareness and training programs for all company employees.
- Provide mandatory training on appropriate laptop use and security.
- Upgrade all company laptops with additional security mechanisms, including GPS tracking technology.
- Add new password protocols and full-disk encryption technology on all company desktops and laptops so that electronic data stored on the devices would be encrypted at rest.
- Upgrade physical security to further safeguard workstations from theft.
- Review and revise written policies and procedures to enhance information security.