Who should actually pay for a data breach?

READING, UK: Websense, Inc. a player in protecting organizations from the latest cyber-attacks and data theft, announced the results of an international survey of 102 security professionals conducted at this year’s e-Crime Congress, which shows that nearly all respondents (98  per cent) believe that the law should address serious data breaches that expose consumers’ data loss through punishments such as fines (65 per cent), mandatory disclosure (68 per cent), and compensation for consumers’ affected (55 per cent). Sixteen per cent even advocate arrest and jail sentence for the CEO or board members.

Respondents feel that companies that are not taking action against data loss and theft have it as an agenda item, but it’s not yet a high enough priority (45 per cent). Furthermore, 70 per cent say the CEO should hold ultimate responsibility should a breach arise. And the pressure is mounting, as 93 per cent of all respondents believe the advent of the Internet of Things will make companies even more vulnerable to data theft.

Over three quarters (77 per cent) of respondents say employees would connect to an unsecure WiFi to respond to an urgent request by the CEO or company executive; with just over 30 per cent of security professionals saying they would do so themselves.

As data theft disclosures hit the headlines, it appears to be inadvertently helping companies address the issues. Three quarters of security professionals feel the publicity has helped other companies create a case for budget, focus and resources. Only 15 per cent believe that the headlines have hindered this as they make companies feel powerless to protect against these attacks.

Neil Thacker, Information Security & Strategy Officer at Websense explains: “The more we talk about the issues and share the common techniques used to breach organizations and abuse, steal or damage data, the better. With the increasing data deluge that will only increase with the Internet of Things, and the dilemma of an increasing information security skills shortage, organizations have a tough challenge ahead. Implementing a data theft prevention control that provides a data-centric approach to security, alongside building a culture of security accountability across the business through collaboration, is essential to keep data protected.”

Among other findings, the survey points that a third of respondents felt that companies believe their business would not be affected by data loss and over a third (35 per cent) felt that companies believe they are protected, but the technology being used is not appropriate to combat data theft

While 70 per cent believe the CEO is ultimately responsible should a data breach take place, 13 per cent also believe it should be the CSO, nine per cent feel it should be the rest of the board (outside of the CEO & CSO) and five per cent believe it is the IT department. Some four per cent say it is the employee responsible for the breach.

The sample size of this international survey was 102 respondents from 15 countries. These included security professionals from government and public and private sector organizations, as well as senior managers charged with responsibility for risk, audit and compliance.