The keynote address by FBI Deputy Assistant Director Donald Freese at (ISC)² Security Congress spurred a very interesting podcast with TechTarget’s SearchSecurtiy Site Editor Rob Wright.
Blaming, and even shaming hacking victims following high-profile data breaches and cyberattacks has become commonplace, but one top law enforcement official says it's time for the infosec profession to break that habit.
Let us know what you think.
If only this question were this black and white.
If I leave my car doors unlocked and someone steals my car, am I going to receive some of the blame? You better believe my insurance company will come after me (it’s in my contract).
If I leave the front door to my house unlocked, and my wife sees I didn’t lock it, reminds me, and I still don’t lock the door, do I deserve to be blamed?
How many breaches have there been where Chief staff wer made aware of significant security shortcomings, ignored the warning, and a breech happened?
How many times has a breech happened because basic, fundamental, security steps were not taken?
The question comes down to due dillegence. Has it been executed? If not, there WILL be some victim blaming. I can not see that is a bad thing. Many questions regarding security come down to Risk analysis. There is a risk that if you do not do something smart (like protect people) that you will be publicly ridiculed. If this risk bothers you (and it should) do your best to prevent it from happening.
What I am tired of is people that don’t know what their talking about when it comes to information security making public statements. I had a judge tell me that he knew better because he uses email. 6 months later, the very thing I said would happen (email account compromise), happened (simple password compromise). I’m educated, I’m the professional, I was publicly ridiculed for my warning, and nothing happens to the judge.
When people are warned something bad can happen, and then the bad thing happens, they earn public ridicule.
The fundamental truth of human psychology is that people change when it hurts bad enough.
If it takes public ridicule, then so be it. People need to learn that when they are warned that a bad thing can happen to thousands or millions of customers, and they do nothing....
Then I must ask, who is to blame? The hackers? This seems to be an interesting thought but we, as cybersecurity professionals, must accept the blame along with the company in which we work. I think the exception to this would be a program pointing out risks and management accepting and not allowing for the proper budget. There are always going to be accidents, just like we have in cars and we accept the risk of driving while mitigating as much as possible through maintenance and insurance. If I am involved in a wreck, the state will find me at least partially responsible no matter what.
The blame needs to be on the companies with penalties to follow or the problem will continue.
Perhaps "blaming the victim" is the more solution-focused method?
I don't think blaming the perpetrators will do much good.
Plus, the victims here are the members whose data was stolen, not the custodians of that data.
“public policy demands that responsibility be fixed wherever it will most effectively reduce the hazards.”
My issue is that if the Organization does not take the time to do the things that are necessary to secure their environment then they should share the blame.
On the other hand, If the Company is doing everything they can to guard against threats then I would say give them a pass.
I wrote an article about this which you are welcome to review and comment on LinkedIn here. Working in various industries I have a different perspective. We have been walking around for decades now saying that security is everyone's responsibility, not just the CISO, the government, or an organization. My article highlights three key areas where this seems to be universal and when you do a root cause analysis, it comes down to a consumer or customer not wanting to be inconvenienced.
Tell a customer a financial transaction is going to take more than 5 seconds, that they will lose their lights for two days while 20 year old equipment is updated and see what the reaction is to this information. The business is successful because it meets the needs of a consumer.....Maybe it is truly time to make security everyone's responsibility.
The focus on the victim should not be on the breach, but rather on the response.
Let's assume that a hack/breach is going to happen in any organization eventually, whether they are totally secured (never), adequately secured (maybe for yesterday, but not likely for the next threat), or totally open and unsecured. It will happen.
Whether the victim deserves the blame or not ultimately depends on what the victim does from the moment the breach is detected (internally or by law enforcement). That's what matters now, especially to clients and customers. Then see what the organization does in the year following the breach.
Breaches happen. Incident response, remediation, real change, and lessons learned do not always happen.