Data breaches are bad, right? Like really bad. But are they worse than a root canal?
A Lastline survey taken at our recent conference, Infosecurity Europe 2017, said that for many, it is. We covered the full survey results here, but the top-line finding is that 44% of security professionals would rather have root-canal surgery than make the dreaded walk of shame to the boardroom to explain that the company has suffered a data breach on their watch.
Now, I’ve never had a root canal, but I know people who have, and it doesn’t seem pleasant. Far from it: “Most painful thing I’ve ever done” seems to be the general assessment. But in the hypothetical perhaps this “data breaches are worse” statement makes sense—after all, the possibility of needing a root canal probably seems remote, especially to all those bright young Millennials that are flooding into IT groups these days. They of the shiny teeth and the gluten-free diets are likely to see root canals as very much in the abstract.
It’s sort of like saying that you’re dreading a data breach more than, say, the Comfy Chair from Monty Python’s Spanish Inquisition skits (“no one ever expects the Spanish Inquisition”—though they should certainly expect a data breach).
So to be more apples-to-apples about it, how about asking if it’s worse than other office nightmares, like inadvertently sending your boss an email, complaining about said boss. Or being hauled in for a dressing down over missing deadlines or filing a wrong report. Is it worse than the ramifications of a drunken conversation at the office happy hour where you promised—absolutely promised!—to get up at 5:30 am for a refreshing crack-of-hungover-dawn hike with your supervisor (yes, that’s happened to this slogger. What was I thinking?).
Obviously, the fallout from a data breach is more than personal, and on that level it’s worse, so much worse, than any individual office-related pain. A breach can cause companies downtime, lost revenue, brand reputation and even viability, if you’re working for an SMB.
But the key here is level-setting. Telling the board that a breach has happened needn’t be the steel-your-courage event that going under the drill might be (or owning very real and avoidable mistakes at work). Basically, the expectation level should be snake-belly high for a breach. Hackers gonna hack, as the saying goes, and defenses gonna fail. It’s inevitable, and instead of selling the board a bill of goods about perimeter defenses and how awesome you are at being a shining knight at the gate, it’s important to give them the truth and instead focus on remediation.
Along with taking the attitude that a breach is almost a certainty, the focus should be on gaining support for better data sequestration, backup strategies, rational privileges policies and the like. Minimizing the damage will make you look like a hero.
If you make this the strategy, there’s no need to take the stressful, anxious, on-edge and frankly embarrassing stance that you’d welcome a root canal over having to talk to the board about something that’s arguably just part of doing business in today’s modern world.
But hey, don’t take my word for it. Here’s what ISF’s Steve Durbin told Infosecurity earlier: “Nobody likes to deliver bad news to the board, and let's face it, boards are not eager to hear such news, but a closer relationship based on regular updates and sharing of steps being taken to align security with strategic business direction will at least ensure a higher degree of understanding in the boardroom that whilst a breach of some nature may be inevitable.”