I have to reply to this article. Nowadays almost all corporate assets are maintained on an electronic platform, which makes them open and vulnerable to cyber-attacks. If an attack succeeds and a sensitive information is exposed, the customer / the victim will seek for someone to blame. "While it is not easy to prove breach of the legal duties to protect electronically stored information, some claims are starting to succeed.
And aside from any litigation topics, even a court victory will not remedy reputation, operational or enterprise damage" (Buckley, 2014). "In the aftermath of the financial collapse of Lehman Brothers in 2008 it is no longer acceptable for senior management to deny knowledge or responsibility for corporate governance and that includes responsibility for the safety of data" (Goucher, 2016).
International Organization for Standardization (ISO), in the ISO 27001:2013 standards regarding Audit and Risk, pushes for engagement from not only IT and HR but also the middle level of management that are not much involved in the security issues.
That implies that those who worked on this standard were looking to use it as a tool for promoting a culture of security throughout organizations. Harkins (2016) stated that information security and privacy are issues of corporate social responsibility (CSR). Corporate social responsibility means that companies look beyond their profits and legal obligations to their broader role in society.
Although not many companied consider security and privacy risks to be CSR issues, the tendency may change over time, as public and corporate awareness of the risks continues to expand. For example, consumer data protection is one area of information risk that is already widely treated as a CSR issue; it is even included in the International Standards Organization corporate social responsibility standard (ISO 26000).
It seems to be a mutual understanding that a company should be responsible for data protection and take all necessary measurement to find and fix security vulnerabilities. However, security and protection of any organization are most effective when they include all aspects of company's operation, i.e. not only technical controls but also the way staff do their work.
A company must implement security practices that need to be user-friendly enough that users see the point of making the effort to use them.
References Goucher, W. (2016).
Information Security Auditor - Careers in information security. BCS Learning & Development Limited.
Print ISBN-13: 978-1-78017-216-3. Web ISBN-13: Harkins,W. M. (2016).
Managing Risk and Information Security: Protect to Enable, Second Edition. Apress.
Print ISBN-13: 978-1-4842-1456-5 Buckley, M. B. (2014).
Corporate Responsibility of Data Privacy, Protection. Properties Magazine.
Retrieved from https://www.buckleyking.com/news-details/2014-11-corporate-responsibility-data-privacy-and-protections