Management group warns CEOs of data-breach risks

The British-North American Committee and chief executive of ICANN claim business leaders are not taking data breaches seriously enough
Written by Tom Espiner, Contributor

Top-level managers and chief executives often do not realise the impact that IT-security incidents can have on their organisations, according to influential group the British-North American Committee.

In a report entitled Cyber Attack: A Risk Management Primer for CEOs and Directors, launched on Wednesday, the British-North American Committee (BNAC) said that chief executives underestimate the scale of data-security problems and fail to recognise the consequences of data breaches for business. BNAC is a group of business leaders and academics from the UK, US and Canada aimed at lobbying the governments of all three countries about management and business-related issues.

Paul Twomey, president and chief executive officer of the Internet Corporation for Assigned Names and Numbers (ICANN) and one of the authors of the report, said that the majority of chief executives do not recognise the risks posed by cyber-espionage to business. ICANN is the organisation tasked with managing the assignment of domain names and IP addresses on behalf of the US government.

"There are reports of cyber-espionage against the US defence industry and the UK by China," Twomey told ZDNet.co.uk on Wednesday. "Intellectual-property theft is an issue that's understated and under-realised. In my personal experience in both large and small companies in several countries, issues of intellectual-property theft have been significant. The internet is a facilitator for business but it does allow security problems."

Distributed denial-of-service attacks need to be taken into account, as do unforeseen supply-chain risks, said Twomey. "Corporations don't understand the supply-chain risks they operate under in the real world," said Twomey. "They're not conscious of lack of resilience in ISP support and their vulnerability when an ISP is taken out. Even with major ISPs, it takes a bit to understand the nature of the business relationships they have. It's also possible to launch [denial-of-service] attacks where ISPs start taking each other out, as they begin to turn off against internal sources."

Mark S Bullock, legal attaché for the FBI at the American Embassy in London, said that most cybercrime incidents are caused by disgruntled employees, and chief executives must take the lead in companies to mitigate possible cybercrime damage.

"With cybercrime, most issues have been internal," said Bullock. "It's critical to be proactive, as, by the time law enforcement gets involved, the damage has been done. It's absolutely critical to be proactive."

Twomey added that failure to register domain names correctly has also not been taken into account by chief executives. "There was a company that failed to register with a professional registrar on a Friday, and on Monday morning found their domain pointing to a porn site," said Twomey. "That's not good for business."

Twomey said chief executives need to concentrate not just on network-defence issues but also on disaster-recovery planning. "You have to build resilience inside your company," said Twomey. "It's not about building the wall higher, but preparing resilience: what do you do when something goes wrong?"

Steps chief executives should take, according to Twomey, include: ensuring resources are allocated to security work; making sure user-security and patch-management policies are implemented; and that audits and risk assessments are performed regularly.

Editorial standards