A series of massive data breaches at major companies, including the recent theft of over 140 million Americans’ personal data from Equifax, has put questions of cybersecurity at the front of every CEO’s mind. At the Wall Street Journal last week, Vanessa Fuhrmans noted that the threat of losing their jobs or even seeing their business destroyed was pushing more chief executives to give cybersecurity their personal attention.
Their motivations are twofold: First, the frequency of data breaches is increasing at an alarming rate, and second, CEOs are increasingly getting blamed for them. After last month’s crisis, Equifax’s board moved quickly (though some argue not quickly enough) to remove Richard Smith from the CEO role he had held for 12 years. Yahoo CEO Marissa Mayer, for example, had her bonus for 2016 rescinded as punishment for a 2014 security breach that compromised hundreds of millions of user accounts and to which an internal investigation found her management team had not responded properly.
The bottom line, Fuhrmans hears from various chief executives, is that they can no longer afford to pass the cybersecurity buck to the IT department and hope to escape unscathed if their company’s data is eventually compromised. That means developing good cybersecurity habits themselves (given how much information is publicly available about them, CEOs are attractive targets for phishing scams), learning more about how their organizations’ security systems work, and taking on a more direct oversight role.
Here’s an area where CEOs could be leveraging their relationship with the HR department to be more proactive about solving the problem. Rather than investing more in firewalls to prevent external breaches, many organizations should also be looking inward, as employee errors account for nearly 60 percent of privacy failures. There’s a big role for HR in helping employees avoid the errors and bad habits that make cyber attacks more likely to succeed.
The massive data breach at the credit reporting agency Equifax affected 2.5 million more Americans than previously thought, the agency revealed last week. The breach, first revealed last month, exposed the data of 145.5 million US consumers in total, plus some 400,000 in the UK and about 8,000 in Canada.
This event, which Equifax has blamed on employee error, has raised concerns over not only what hackers might do with the data that was compromised, but also what other data Equifax and other credit agencies have on hand that could be put at risk by similar oversights in data security. Equifax, for instance, owns a database of payroll information from 7,100 companies, which was not exposed in the recent breach, and major employers seem to have no intention to stop entrusting the firm with their data, Jennifer Surane reported for Bloomberg last week:
In the wake of the breach announced last month, Bloomberg News contacted the 40 largest U.S. employers — representing some 12.5 million workers — and asked if they would continue dealing with the service, which helps them with unemployment claims, employment eligibility and tax credits. None said they will sever existing ties.
Several — such as Wal-Mart Stores Inc., the nation’s largest private employer — confirmed they will keep sharing information with Equifax. Others declined to comment on their relationships or didn’t respond to messages. Only about a half-dozen said they didn’t provide that information prior to this year’s hack.
On September 7, the credit reporting agency Equifax revealed it had experienced a cybersecurity breach in late July that potentially exposed the sensitive personal data of 143 million Americans to unidentified hackers, and the agency said this week that it had suffered another breach in March.
The data exposed in the breach included millions of consumers’ names, birth dates, addresses, Social Security numbers, and in some cases driver’s license numbers. The hackers also obtained 209,000 credit card numbers and documents with personal information used in disputes for 182,000 people. “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner, told the New York Times when the July breach was disclosed earlier this month
With so many people affected, most US organizations likely have victims of the breach among their employees, whose data could be used to steal their identities and commit fraud. Employers that offer 401(k) plans should contact their third-party administrators to ensure that employees are notified of any vulnerabilities in their accounts, Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice, tells Allen Smith at SHRM:
The TPAs should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts, McAndrew said. HR shouldn’t provide the notice itself or it will get inundated with questions from employees about Equifax’s breach, he said.