cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Jarred_LeFebvre
Community Manager

Listen - Hacking victims taking too much blame?

The keynote address by FBI Deputy Assistant Director Donald Freese at (ISC)² Security Congress spurred a very interesting podcast with TechTarget’s SearchSecurtiy Site Editor Rob Wright.

 

Blaming, and even shaming hacking victims following high-profile data breaches and cyberattacks has become commonplace, but one top law enforcement official says it's time for the infosec profession to break that habit.

 

Check it out here: http://searchsecurity.techtarget.com/podcast/Risk-Repeat-Are-hacking-victims-taking-too-much-blame

 

Let us know what you think.

7 Replies
MrEUser
Viewer

If only this question were this black and white.

If I leave my car doors unlocked and someone steals my car, am I going to receive some of the blame? You better believe my insurance company will come after me (it’s in my contract).

If I leave the front door to my house unlocked, and my wife sees I didn’t lock it, reminds me, and I still don’t lock the door, do I deserve to be blamed?

How many breaches have there been where Chief staff wer made aware of significant security shortcomings, ignored the warning, and a breech happened?

How many times has a breech happened because basic, fundamental, security steps were not taken?

The question comes down to due dillegence. Has it been executed? If not, there WILL be some victim blaming. I can not see that is a bad thing. Many questions regarding security come down to Risk analysis. There is a risk that if you do not do something smart (like protect people) that you will be publicly ridiculed. If this risk bothers you (and it should) do your best to prevent it from happening.

What I am tired of is people that don’t know what their talking about when it comes to information security making public statements. I had a judge tell me that he knew better because he uses email. 6 months later, the very thing I said would happen (email account compromise), happened (simple password compromise). I’m educated, I’m the professional, I was publicly ridiculed for my warning, and nothing happens to the judge.

No.

When people are warned something bad can happen, and then the bad thing happens, they earn public ridicule.

The fundamental truth of human psychology is that people change when it hurts bad enough.

If it takes public ridicule, then so be it. People need to learn that when they are warned that a bad thing can happen to thousands or millions of customers, and they do nothing....

Anne
Newcomer I

To me it all comes down to risk acceptance vs ignorance vs willful ignorance.

Risk acceptance: they knew there was a security flaw and those with fiduciary responsibility made the call to accept the risk and keep the flaw. Blame: they knew what could happen and it did and now they reap the consequences. Big companies do this regularly - lots of decisions must be made like this.

Ignorance: you have security, but that zero day came into a mom and pop shop and laid waste to their stored PII or allowed remote access in and a huge wire was sent out. No signatures out yet to protect and although they hired a security firm, they didn’t have enough money for top tier. They tried, but someone has to be the unlucky minority. Blame: this is where I place the least, but in the end, bad luck doesn’t absolve anyone.

Willful ignorance: ostrich with its head in the sand. They know, but ignore the issue because they figure they have deniability. Blame: for me, lots. This is the worst case scenario for security - you could have, but didn’t and pretended like it didn’t exist.
Bruce
Newcomer I

Then I must ask, who is to blame? The hackers? This seems to be an interesting thought but we, as cybersecurity professionals, must accept the blame along with the company in which we work. I think the exception to this would be a program pointing out risks and management accepting and not allowing for the proper budget. There are always going to be accidents, just like we have in cars and we accept the risk of driving while mitigating as much as possible through maintenance and insurance. If I am involved in a wreck, the state will find me at least partially responsible no matter what. 

 

The blame needs to be on the companies with penalties to follow or the problem will continue. 

JM
Viewer III

Perhaps "blaming the victim" is the more solution-focused method? 

I don't think blaming the perpetrators will do much good.

Plus, the victims here are the members whose data was stolen, not the custodians of that data.

 

“public policy demands that responsibility be fixed wherever it will most effectively reduce the hazards.”

 

https://www.cfr.org/blog/corporate-data-breaches-blame-victim

jrisner1
Newcomer III

My issue is that if the Organization does not take the time to do the things that are necessary to secure their environment then they should share the blame.

 

On the other hand, If the Company is doing everything they can to guard against threats then I would say give them a pass.

Uno_Digerati
Viewer II

I wrote an article about this which you are welcome to review and comment on LinkedIn here. Working in various industries I have a different perspective. We have been walking around for decades now saying that security is everyone's responsibility, not just the CISO, the government, or an organization. My article highlights three key areas where this seems to be universal and when you do a root cause analysis, it comes down to a consumer or customer not wanting to be inconvenienced.

Tell a customer a financial transaction is going to take more than 5 seconds, that they will lose their lights for two days while 20 year old equipment is updated and see what the reaction is to this information.  The business is successful because it meets the needs of a consumer.....Maybe it is truly time to make security everyone's responsibility.

jfschif
Viewer II

The focus on the victim should not be on the breach, but rather on the response.  

 

Let's assume that a hack/breach is going to happen in any organization eventually, whether they are totally secured (never), adequately secured (maybe for yesterday, but not likely for the next threat), or totally open and unsecured.  It will happen. 

 

Whether the victim deserves the blame or not ultimately depends on what the victim does from the moment the breach is detected (internally or by law enforcement).  That's what matters now, especially to clients and customers.  Then see what the organization does in the year following the breach.  

 

Breaches happen.  Incident response, remediation, real change, and lessons learned do not always happen.