Biggest casualty of a breach is security jobs, not share price

Your firm will survive but you may lose your job, warns Mikko Hypponen

Techies should worry about keeping their job in the event of a serious security breach, even though few such incidents have had a long-term impact on a victim’s business performance.

Much is said about cybersecurity becoming a board-level issue, but this is only the case in more progressive organizations.

Widespread cybersecurity awareness in the corporate world may have to wait until a new generation of business leaders that have grown up with technology take over the reins, infosec guru Mikko Hypponen told The Daily Swig.

“Especially for boards in large companies, it’s perfectly understandable why they keep ignoring security and why computer security still isn’t a board-level topic at every company,” Hypponen, chief research officer at F-Secure, explained.

“The explanation is that board members in large companies are 60-year-old males who don’t understand technology and aren’t comfortable around technology. If they can avoid this topic they will [do] so; they only bring it up when something like WannaCry happens.

“That’s not good enough [because] every company is a software company.”

The Daily Swig spoke to Hypponen on the fringes of the Black Hat Europe conference in London this week.

Business leaders should realise their responsibility, he claimed, while adding that – according to research by Hypponen himself – very few companies have failed or gone bust as the result of a breach.

Dutch security firm DigiNotar went out of business after such an incident, but they are the exception that proves the rule.

“Even in the worst cases like Sony Pictures or Maesrk or Marriott, companies survive. Even the stock value comes back up but what does happen is that people get fired,” said Hypponen.

Hypponen’s message to technology managers and CISOs is stark: your company will survive in the event of a breach, but you will get fired and that’s why cybersecurity should be important to decision makers.

Incident response

The recently-exposed Marriott hack went undetected for four years. This points towards a lack of security monitoring that left the hotel chain blindsided by the long-running breach.

A growing number of companies have been hit by these types of problems. F-Secure is one of the range of firms offering incident response services.

Long detection and response times to breaches are the norm, in F-Secure’s experience, and attributable to a lack of maturity in the detection strategy.

Firms need to understand the baseline of activity on their networks so that they can understand when something is wrong, Hypponen said.

“Companies don’t realise that they’ve been hacked because they’re not looking,” he explained. “If firms understand normal then they can look for abnormal… using machine learning technologies and sensors on endpoints across a network.”

This approach is best practice, but would fail in cases where firms only begin monitoring after they’ve already been breached, he added.