Chris Novak is Managing Director of Cyber Security Consulting at Verizon.
This year’s Verizon Data Breach Investigations Report (DBIR) indicates that employees are more likely to report security incidents like phishing than in previous years, which may indicate that business leaders are removing the fear of reporting human-caused breaches. But given that the human element has been a threat for years, it’s worth asking, why now?
Human behavior is hard to change. Consider passwords, a building block of cybersecurity. Users gravitate toward simpler passwords and tend to reuse them even though it puts their accounts at greater risk. Why? Because it’s easier. Every additional character, number and special symbol strengthens the password by an order of magnitude, but typically, users only add complexity to their passwords or change them when the system requires them to.
Multifactor authentication has become more prevalent over the last five years because many organizations have made it a requirement for their employees. These kinds of organizational changes are driven by leadership, so it stands to reason that the change in incident reporting is driven by business leaders. But if leaders are behind the change, we can retain the same question from the end of the first paragraph: Why now? Because they’re under increasing pressure.
Data breaches cost organizations significantly both financially and reputationally. Last year, the median loss for breaches involving ransomware and other kinds of extortion was $46,000, but that can sometimes shoot up into the millions. We’ve also seen widespread breaches with national and international implications over the last 10 years, resulting in hundreds of millions of dollars lost and millions of customers’ information compromised. The reputational damage is equally debilitating. Increasingly, in some cases, blame has been laid at the feet of business leaders, who can face fines, criminal prosecution and even jail time. At least some of that pressure is exerted by governing bodies.
Last year, the U.S. Securities and Exchange Commission (SEC) finalized a new cybersecurity disclosure rule that requires public companies to disclose material cybersecurity incidents within four business days. This requirement is designed to create greater transparency and to provide investors with decision-useful information in a timely manner. Public companies that run afoul of the SEC’s new rule may face hefty fines, legal action and other potential penalties. The threat of such consequences—and having to explain the compliance failure to board members and shareholders—gives CISOs and other C-level executives a powerful incentive to get it right.
But it’s not just the SEC that’s seeking greater transparency in the area of cybersecurity. In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published its anticipated draft rules requiring notification of cyberattacks on U.S. critical infrastructure, including systems and assets held by private sector actors in the healthcare, energy, manufacturing and financial services sectors, among others. The proposed rules require critical infrastructure entities to report ransom payments within 24 hours and “substantial” cyberattacks—defined as attacks that cause downtime or other significant operational disruption—within 72 hours.
All of this is to say that all C-suite executives, not just CISOs, are under more pressure to take cybersecurity seriously, which, in turn, is compelling them to prioritize cybersecurity. That has a trickle-down effect that’s informing corporate culture, manifesting in updated procedures and raised awareness.
Accountable leadership and elevated cybersecurity awareness across an entire workforce make for a compelling countermeasure to breaches caused by the human element and lay a strong foundation for a more secure future. And it starts with the C-suite changing the company culture. This can include but isn’t limited to:
• Encouraging the reporting of phishing and deep fake attempts.
• Simplifying the reporting process.
• Leading or participating in cybersecurity training alongside other employees.
• Informing the team of new and upcoming tactics being used by threat actors, like AI.
Building a workforce culture that prioritizes good cyber hygiene takes time and resources. But ultimately, if small changes across an organization help prevent data breaches, these changes can and will pay dividends in the future.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?