Opinion: The security breach blame game
Who is the victim in a cyberattack and can blame be solely attributed to the attackers? ponders Simon Vernon, security researcher, SANS EMEA
Whether motivated by financial gain, hacktivism, whistle-blowing, or some other reason, any kind of cyber-attack is illegal and should, therefore, be prosecuted if attribution is possible. There’s no doubt however, when an organisation is targeted and successfully hacked, it must bear some responsibility for data loss if security controls were incorrectly implemented or reasonable protections were not in place. But how far does this responsibility go?
Who we define as the victim or the responsible party often isn’t associated with how securely an organisation operates, but how it responds to the attack.
Effectively, it becomes a challenge for the marketing department. Who we blame as the customer, depends on how we consume this media and our personal bias. This shouldn’t be the case. In many instances of corporate breach, there is a clear defining line over where responsibility lies. For example, the organisation may have been irresponsible in its data handling, management of systems and maintenance, and should, therefore, absorb some of the blame. However, in cases where a flagrant lack of security controls is discovered, a large proportion of the blame can be placed on the organisation.
There have been many instances recently where a breach has occurred and the affected business’ response has been the generic, ‘your security is our priority’, ‘we take security very seriously’ or ‘this was a targeted attack by professional hackers’.
Often, we learn the data stolen wasn’t encrypted or hashed or was stored with other data that made it useful or tradeable. In the end, adequate protection comes down to money, time and expertise which in turn translates to having the right people, processes and technology in place. The majority of hacks and data theft in the last 10 years come down to one of these critical failings.
I’ve heard arguments recently that the victims (corporate or otherwise) can never be blamed for the actions of an attacker. A data breach has been compared to a simple street mugging: “You can’t blame the victim for being robbed even if they are walking late at night, on the phone or wearing expensive exposed jewellery; it isn’t their fault”.
This isn’t really a comparable example, since, if the victim was doing all of the above and had the personal data of 10,000 people on their person and was then mugged, it would be fair to attribute some of the blame to the victim for their failure in protecting an asset for which they were responsible at the time. At the end of the day, it’s all about taking sensible precautions.
In instances of corporate failure to assess, control and report security failures, blame must be applied accordingly. If you leave the house and lock all the doors, but leave the windows wide open, you can realistically expect something to be missing when you return. When the contents of your house include the personal and private data of your employees, customers and the general public, they expect you to act with their best interest in mind, not the shareholders.
In this internet-connected world where data is fuel, powering everything from financial platforms to politics, it’s the corporate powers who are trusted with our information. That trust should be earnt and held in high regard.
Visit the SANS website for the latest cybersecurity news and courses www.sans.org/ME-Events-19