In today’s digital landscape, organizations face a continuous onslaught of attacks, with adversaries infiltrating networks and pilfering data. The targets span a spectrum — from your employer to clients, social media platforms, and intermediaries tasked with safeguarding access or financial records. But amidst this turmoil, who truly bears the brunt?
The answer is straightforward: the organization. However, the ripples of repercussions often cascade to encompass users and customers. Yet, can the blame game be solely pinned on the attackers?
Motivations for attacks may range from financial gain and hacktivism to whistleblowing and leveraging power. Irrespective of intent, these actions are illegal and deserve prosecution if proven. However, organizations that are targeted and successfully breached should shoulder some of the responsibility for data loss. The question is: to what extent?
The designation of victim or accountable party isn’t solely based on how secure an organization’s operations were prior to an attack but hinges on their response post-attack. This predicament becomes a conundrum for marketing departments. Who is held culpable in the eyes of customers is often shaped by media consumption and personal biases. This shouldn’t be the case. In numerous corporate breaches, a clear line can be drawn to identify where fault lies. Organizations might have been negligent in data handling, system management, or maintenance, and as such, should bear a portion of the blame. In cases of severe negligence in control measures, a substantial share of the blame can fall squarely on the organization.
Recent incidents showcase a recurrent business response pattern: statements like “your security is our priority” and “we take security very seriously” abound. Subsequently, it emerges that the actual breaches often result from vulnerabilities like unpatched webservers (Equifax), third-party Java vulnerabilities (BA), or unsecured FTP (TJ Max), along with various other known weaknesses and configuration blunders. More disconcertingly, pilfered data frequently lacks encryption or hashing, rendering it useful and tradable. At the core, it all boils down to money, time, and expertise, translating to people, processes, and technology. A substantial chunk of hacks and data theft over the past decade can be traced back to these critical shortcomings.
Counterarguments have arisen, asserting that victims, whether corporate entities or individuals, can’t be held accountable for an attacker’s actions. A comparison is drawn to a street mugging scenario: “you can’t blame the victim for being robbed even if they’re out late, chatting on the phone, and flaunting expensive jewelry.” Yet, this analogy falls short. Imagine the victim carries the personal data of 10,000 individuals and then gets mugged. In such a case, attributing some blame for inadequate security controls in protecting an asset entrusted to them is valid.
In cases of corporate negligence in assessing, controlling, and disclosing security failures, blame must be assigned where due. If you lock all doors but leave windows open and your belongings are stolen, you can reasonably anticipate losses. When these ‘belongings’ comprise the personal and private data of employees, customers, and the public, expectations lean towards organizations acting in their interests, not just the shareholders’. Offering free credit monitoring after a breach is akin to locking the stable door after the horse has bolted.
In the world where data fuels everything from financial platforms to politics, corporations hold the keys to our information. This trust must be earned and upheld as paramount.
This article takes shape as a response to a statement made by a Cyber Security academic.
Leave a Reply