Effi Lipsman is our sales leader at ActZero. His job involves putting the needs of clients and prospective clients first, every day. He often deals with people and companies impacted firsthand by cybersecurity threats, like malware, ransomware, and other cybersecurity incidents.
It wasn’t long ago that I wrote about how we, as a society, need to pay more attention to cyber-threats. An underpinning of such societal change is good communication: dialog that enhances visibility into the problem. Just call me a “social engineer” 😉. But there is a problem with the type of communication that is happening now, about cyber-breaches. Specifically, it is the assumption that companies who get hacked, or the people who work at them, are solely responsible for that situation, and perhaps even brought it upon themselves. People proclaim guilt, or negligence, or even incompetence when breaches happen to companies. I state that because small and medium-sized businesses are so afflicted by such “bad press” and public reaction, that people are reluctant to talk about it when it does happen. This means discussions of best practices, motivations towards societal change, and all of the ‘learnings’ we are supposed to gain can be lost.
In this post, I discuss whether victim-blaming is appropriate (spoiler alert, it’s not), explore the argument around why, and suggest how we can prevent this from continuing. Because, as we have seen, the data breaches are not going to stop, so let’s handle them better when they happen. Let’s evoke some positive change here, people!
I am reluctant to call out specific instances of victim-blaming in high-profile cybersecurity incidents to avoid duplicity. But we’ve all seen it (countless times). It’s the typical sales presentation by cybersecurity vendors that emphasizes the notable breaches; it’s the social media posts where my peers (and sometimes colleagues 😊) assert that “I would never recommend Company X because they got breached”).
Is This Appropriate?
We don’t have all the context of the attack. Who are we to judge a company, or a person at a company, for not adhering to a given practice, if we don’t know about their business, or about their IT infrastructure, or 3rd party vendors, or employees, or contractors, or any other possible attack vector? Without all the facts – which, short of having conducted a forensic investigation (which we routinely do, by the way), you won’t know – there could be mitigating circumstances that warranted that particular action, or lack of action that seems “wrong” in hindsight.
Even if all the facts did dictate a specific action that wasn’t taken, how does it help to call it out in a way that is ridiculing, in public?
The question of whether it’s appropriate extends beyond any “here’s how it would help” rationalization. Think of your grandmother– when grandma gets infected with ransomware, is it “her fault” for not updating windows updates? Of course not, it’s the hacker’s fault. No question. Some may counter “organizations need to know better than grandma” or that “organizations employ cyber professionals who are better adept/equipped to prevent such threats.” OK; what if it was a zero-day vulnerability? What if your company is patient-zero? What if maintaining perfect endpoint hygiene, latest patch levels, and comprehensive and rigorous monitoring/alerting/reacting is virtually impossible to perform with 100% accuracy? We know that hackers keep improving as defenses do – it’s an evolution. I’ve written before that the attacker needs to be right just once, while the corporation needs to be right every single time (shameless plug: ActZero’s MDR services reverses that theory back to give the corporation an advantage). My point is, defining a threshold or criteria where blame shifts from perpetrator to victim is an incredibly slippery slope, that can take us from “we were compliant” to “we had perfect hygiene” to “we had military-grade security,” and we still got hacked! If it can ever be perceived as the victim’s fault, it quickly becomes always the victim’s fault.
I think that victim-blaming actually perpetuates my industry – “Oh, you got hacked? If only you’d had ActZero, that was stupid of you not to make that decision…”. But it is still wrong, and we need to stop doing it. There’s no upside to the vendors who use such tactics.
Steps to Take
I’m not saying we shouldn’t learn and improve – quite the contrary; I am saying that to learn and improve, we need to be able to discuss what happened in a non-judgmental way. This discussion needs to happen without the fear of being ridiculed in the news, in social media, and by every cybersecurity vendors’ sales rep. Yes, there are consequences to your business to getting hacked; there may even be consequences for your staff, or your customers, or your brand, or your bottom line. And, yes, you should do everything you can to prevent those consequences, but when you get hacked, don’t you want to be able to discuss it openly, and honestly, and without the fear of ridicule when you are already going through such a difficult time?
How can we achieve that? I envision these ways. What are yours?
- Coupled with breach-reporting requirements that are popping up (e.g., PIPEDA, NY CRR500), let’s make sure we are also reporting how the hacker got in, and make this the focus of discussions. Not “ABC Company didn’t have an account lockout threshold, so the hacker was able to brute-force in,” but instead: “The hacker used a brute-force tactic to break into an administrator’s account, and proceeded to escalate privileges. The following are ways to mitigate the risk of such tactics: adding an account lockout threshold, having multi-factor authentication, etc.”
- Foster an environment where it is safe to discuss what happened and how to improve. Maybe that place is not the news-media... At least for the cybersecurity and IT professionals, there needs to be a community suited to this. …Maybe that’s not Reddit either :P
Sure – maybe a company or a person at a company could have done something differently to have made getting hacked less likely. All I’m saying is that this culture of judgment and blame, disguised as “accountability”, is not helping us beat the problem. And it certainly makes vendors that push this message look petty. If we generalize what we know about victim-blaming in other circumstances, I am sure that you will come to agree with me.