The aftermath of the Ashley Madison hack that aired the details of its 37 million users has been anything but pretty. News of divorces, lawsuits, and even suicide relating to the hack are being reported on a daily basis, and in a completely understandable move, Ashley Madison’s parent company CEO no longer holds his title.
Noel Biderman, the Founder of Ashley Madison, stepped down on August 28. Although the press release states that he left the company in a ‘mutual agreement’, it’s a statement that really leaves you wondering if that’s how it really went down.
One thing’s for certain: if not for the hack, Noel would still be running the company he founded, which reported a $115 million profit last year.
Regardless of what kind of business Ashley Madison is, Biderman clearly put a great deal of effort into making the company what it is today. For more than 14 years, it has been a company that he literally created from the ground up. And then, he witnessed how quickly hard work can come crashing down based on over less than 30 gigabytes of information leaked.
And he’s far from being the only one.
As many have seen or heard many times over, Target’s ex-CEO, Gregg Steinhafel, resigned shortly after the notorious Target data breach that has cost the company $148 million, and counting.
Ten years ago, such a thing would have been unheard of. Punishment for a breach would go right over the heads of the executive management, and strike at the hearts of their IT security teams.
Today, whilst IT security team members still get the axe when things turn to custard, the ultimate sacrifice must be made by the people where the buck stops — the CEO and the executive team.
The lesson for all CEOs and founders: Allowing a huge data breach happen is now a big enough of a mistake to cost you your job, even if you’re the one who started the company to begin with.
The general public will light their torches and brandish their pitchforks at your castle gates. Your supporters will dwindle in number, and soon you will be forced to make a decision — leave the company with some of your dignity intact, or wait for your board members to hit the eject button.
So why have data breaches become a blunder worth punishing the head of a company for? The biggest reason is the scale of breaches have grown exponentially- losing millions of records has become commonplace, and if a million people lose their personal information thanks to a mistake made by your company, that’s a million of your customers you just aggravated.
Another reason is the amount of attention hacking receives from the media. For weeks prior, the Ashley Madison story was making headlines all around the world, and once the leak went public it was covered endlessly by every news source. Its not as easy to brush the issue under the carpet like it was many years ago.
How to Avoid Being Next
The obvious solution is to simply avoid losing data. However, it’s really not as easy as it sounds. Many companies see thousands of inbound attacks daily- you can defend as much as you want, but the sad truth that it only takes one attacker to break in to bring your entire fortress crashing down.
The less obvious but much more critical solution is to avoid, as far as possible, storing any information worth stealing. In Ashley Madison’s case, accounts that should have been deleted, as well as email logs from years prior had no place on their systems. The more sensitive data you hold on to, the more you stand to lose in a data breach.
Today’s Security professionals are promoting a new strategy: If you don’t need it, don’t store it. Because if an outsider does find a way into your IT network (and statistically speaking, they will find a way), then your valuable data assets in storage will be reduced to a bare minimum. Furthermore, if your security team have taken the right steps and focussed on protecting what remaining information you do need to store with Encryption, or other obfuscation technologies, there’s hopefully little to zero data left that’s easy to steal.
So our message to all you CEO’s out there — listen to your security guys. They too have a vested interest in your longevity.
But if you don’t and the worst case happens, they can always leave and get another job. You on the other hand won’t be able to escape being seen as ultimately responsible for a very public data breach, regardless of who internally was at fault.