The blame game - corporate failure or attacker
Who is the victim in a cyberattack and can blame be solely attributed to the attackers? Simon Vernon, security researcher at SANS EMEA ponders
Whether motivated by financial gain, hacktivism, whistle-blowing, or some other reason, any kind of cyber-attack is illegal and should therefore be prosecuted if attribution is possible. There’s no doubt however, when an organisation is targeted and successfully hacked, it must bear some responsibility for data loss if security controls were incorrectly implemented or reasonable protections were not in place. But how far does this responsibility go?
Who we define as the victim or the responsible party often isn’t associated with how securely an organisation operates, but how it responds to the attack.
Effectively, it becomes a challenge for the marketing department. Who we blame as the customer, depends on how we consume this media and our own personal bias. This shouldn’t be the case. In many instances of corporate breach, there is a clear defining line over where responsibility lies. For example the organisation may have been irresponsible in its data handling, management of systems and maintenance, and should therefore absorb some of the blame. However, in cases where a flagrant lack of security controls is discovered, a large proportion of the blame can be placed on the organisation.
There have been many instances recently where a breach has occurred and the business’ response has been the generic, ‘your security is our priority’, ‘we take security very seriously’ or ‘this was a targeted attack by professional hackers’.
However, it frequently turns out that the actual hack was against an unpatched webserver (Equifax), Java from a third party (BA), un-secured FTP (TJ Maxx) and countless other known vulnerabilities and configuration errors that could have been mitigated. Often, we learn the data stolen wasn’t encrypted or hashed, or was stored with other data that made it useful or tradeable. In the end, adequate protection comes down to money, time and expertise which in turn translates to having the right people, processes and technology in place. The majority of hacks and data theft in the last 10 years come down to one of these critical failings.
I’ve heard arguments recently that the victims (corporate or otherwise) can never be blamed for the actions of an attacker. A data breach has been compared to a simple street mugging: “You can’t blame the victim for being robbed even if they are walking late at night, on the phone or wearing expensive exposed jewellery; it isn’t their fault”.
This isn’t really a comparable example, since, if the victim was doing all of the above and had the personal data of 10,000 people on their person and was then mugged, it would be fair to attribute some of the blame to the victim for their failure in protecting an asset for which they were responsible at the time. At the end of the day, it’s all about taking sensible precautions.
In instances of corporate failure to assess, control and report security failures, blame must be applied accordingly. If you leave the house and lock all the doors, but leave the windows wide open, you can realistically expect something to be missing when you return. When the contents of your house include the personal and private data of your employees, customers and the general public, they expect you to act with their best interest in mind, not the shareholders. Some companies that have been the victim of an attack, have offered a free credit monitoring service to affected customers but in reality this is of limited use and could be seen as closing the stable door after the barn has burnt down.
In this internet connected world where data is fuel, powering everything from financial platforms to politics, it’s the corporate powers who are trusted with our information. That trust should be earnt and held in high regard.