Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Cybercrime Breaches Cost Corporate Boards Big Time: Have You Done Your Due Diligence?

By John Sileo
SEC1119-awareness-Feat-slide1_900px
February 6, 2020

Back away from the snooze button. This is a $29 million wake-up call you can’t afford to miss.

In January 2019, Yahoo’s board agreed to pay the enormous $29 million settlement to its shareholders as the result of cyberattacks that compromised three billion Yahoo user accounts. It was the first time shareholders had successfully held a company responsible for data breaches. And it is a loud warning to corporate boards that they must start paying attention to cyber risks.  

But are they? Considering that over 7.9 billion records were exposed as of September 2019 — up 112 percent from 2018 — it looks like they may have their fingers in their ears. 

Not only is cybercrime on the rise but cyberattacks are expected to cost the world $6 trillion annually by 2021 — and as the Yahoo case demonstrates, corporate boards are increasingly being held responsible by shareholders. It’s time for directors to get front and center in the fight against cybercrime. Taking a proactive approach and ramping up the company’s cybersecurity IQ will not only decrease a company’s risk, but can give it a competitive advantage.

If that grabs your attention, here’s what else you need to hear. 

 

The Call Is Coming From Inside the House 

Remember those slasher movies from the ‘80s when the creepy call was coming from inside the house? This is a little like that. Your greatest threat is coming from inside your organization. According to the 2019 Insider Threat Intelligence Report, insider threats are on the rise and cost companies an average of $8 million per incident. That doesn’t mean your company is crawling with spies, however. 

The vast majority of insider threats (64 percent) are the result of negligence and lax employee behavior, while 13 percent come from user credentials being compromised. These numbers are a red flag, pinpointing a need for greater employee security reflex training. Many organizations are overly focused on technological fixes and blind to the human elements of data protection. 

 

Get Personal

If security training isn’t personal, it won’t work. Want your fellow board members, management teams and employees to care about data breach? Start by teaching them how to protect their daughter’s digital wedding photos or how to keep criminals from hacking their smart homes. Once you create a culture where security is personal, negligent insider threats will decrease. This is specifically a board issue because effective training requires ample budgeting, and many boards are currently throwing vast amounts of cash at ineffective, non-personalized training. Build a program that engenders data ownership and buy-in at a personal level, and then expand it into the professional realm. 

 

Security Isn’t the IT Department’s Job — It’s Everyone’s Job

If security falls entirely on the CISO or the IT team, it’s doomed. It would be like expecting an organization to become more inclusive when the only employee paying attention to pronouns is the inclusivity officer. A culture of ownership is vital. Boards need a representative of information offense (the CIO) and data defense (the CISO) — and the latter shouldn’t report directly to the former but to an impartial, non-technical executive, preferably the CEO. 

Moreover, boards should assess new executive talent for their cybersecurity IQ (and quiz them on it). Cybersecurity IQ is a competitive advantage and companies get that advantage by having people who understand, believe, practice and share cybersecurity best practices. In addition, the IT Department is only one portion of the greater solution. For truly effective cybersecurity, your strategy should be based around the critical business activities that are at stake, not just the technology that supports it. That means that operational heads, the risk and compliance team and relevant specialists inside and outside of the organization should be included in the conversation. 

 

Innovation Introduces Risk

Companies thrive on innovation, but the downside is that innovation and/or disruption are massive risks to security. For example, smart electricity meters on homes are a boon to electric companies, but because they’re online and connected to the grid, they can be hacked and used to access all areas of the network. Innovation is always looked at from an offensive perspective — how it can benefit an organization. Smart cybersecurity means that innovation needs to be looked at defensively, too. Budget security directly into your innovative initiatives so that you don’t pay multiples down the road when that innovation becomes a back door into your bottom line. 

 

Hire an Outside Firm to Conduct a Penetration Test 

With massive amounts of respect to internal security teams, there is no great incentive for these teams to identify, rank and report every flaw within the system. It doesn’t just make the IT department look bad, they are also generally working with a shortage of resources, which doesn’t allow them to do a complete job. Consequently, one of the best moves a board can make is to hire an external firm to perform a systems penetration test and attack simulation. 

A penetration test can uncover holes in company systems and an attack simulation will expose poorly prepared human elements that lead to unintentional disclosures, user error and a lack of robust policies and procedures. The results should be presented as a prioritized heat map that ranks remediation steps from most to least important. Again, these should be organized not around the technology, but around the critical business activities that the organization provides. 

We are quickly approaching a turning point: organizations are realizing that security is everyone’s business, not just the IT department’s. There is no place that recognition is more important than on the board, where directors are driving budgets, initiatives and ultimately, security culture. And everyone knows you shouldn’t sleep at the wheel.

 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

KEYWORDS: CISO cyber security cybersecurity data breaches IT departments and security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

John sileo
John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber network

    How to Achieve Cybersecurity with Patience, Love and Bribery

    See More
  • Hiring practices must perform due diligency

    Court rules truck companies have duty to perform due diligence when hiring

    See More
  • “Garbage In” Can Cost You Your Job

    See More

Related Products

See More Products
  • CPTED.jpg

    CPTED and Traditional Security Countermeasures: 150 Things You Should Know

  • 150 things.jpg

    Physical Security: 150 Things You Should Know 2nd Edition

  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing