C-Suite Liability in Data Protection
The ROI of Doing Nothing
Data breaches can cost companies millions of dollars. But the impact it can have on senior management is often an afterthought, leaving both businesses and business owners at risk. As shown in recent cases, such as a Finnish CEO receiving a suspended prison sentence following a data theft incident, highlighting the personal liability of C-Suite executives in data protection.
Below, we delve into the return on investment of doing nothing when a data breach occurs, what the impact is on both the business and the C-Suite and the serious consequences of weak security measures within an organisation.
Who holds the responsibility of Data Protection
Every company, regardless of size or industry, handles personally identifiable information (PII) in some form. This information includes employee records, customer data, and sensitive corporate information. Today, data now flows across a complex network of cloud servers, emails, laptops, and supplier systems, making it more susceptible to theft. And many companies often prioritise infrastructure protection over safeguarding the actual data, leaving themselves and their organisation open to significant risks.
The average data breach is estimated to cost $10 million, but the personal cost to senior management can last a lifetime.
One critical point that C-Suite executives need to recognise is their personal accountability in data protection. Regulatory bodies worldwide are increasingly serious about enforcing this liability. For instance, in Finland, a CEO faced both a suspended sentence and the loss of his job due to a highly sensitive customer data breach. The business ultimately filed for bankruptcy in the wake of the breach.
Asking the right questions
Relying solely on network security teams to safeguard data is negligent. Network security teams are primarily responsible for protecting the infrastructure, not necessarily understanding the value of the data that passes through it. This approach leaves businesses exposed and the C-Suite personally liable. Instead of asking network security officers if data is secure, the crucial question is, “When (not if) our systems are breached, can the data be read and/or used?”
To address the issue effectively, organisations need a data-centric approach to security. This involves protecting the data itself through measures like encryption and limiting access to authorised individuals.
Even in the event of a breach, if the data remains unusable to bad actors, it reduces liability, regulatory fines, reputational damage, and the compromise of personal liberty for C-Suite executives.
Responsibility lies with the C-Suite
According to Auxilion, over a third of C-Suite executives (39%) feel their organisation isn’t suitably primed to respond to a cyber breach.
Ultimately, it falls upon senior management to ensure the right security frameworks are in place. Despite the increased media attention and widespread news around cyber attacks, buy-in on data protection processes is still inadequate.
Data protection is a serious business problem, and the responsibility for mitigating this ever-escalating corporate risk lies directly with the C-Suite. The cost of failing to secure data and the associated personal liability make it imperative for C-Suite executives to take action. Safeguarding data is not just a technology issue; it’s a fundamental responsibility for organisational leadership.
For more information on this, why not download our latest whitepaper from Certes CTO Simon Pamplin.