We like to assign blame. It seems it’s human nature to be totally knowledgeable in areas that don’t involve us at all.
We all blame someone when our favorite team loses. It’s an individual player, the umpire, or even the manager (for not employing your dream squad or team formation). The fact remains that they lost, and the blame game achieves nothing.
The same is true of data breaches, and unfortunately for IT pros, when a data breach occurs, they often get it in the neck, with CIOs (or even CEOs) resigning in the wake of the public outcry that follows breach notification. Is this fair? Where should the blame lie?
Don’t get me wrong; I’m the last person that would advocate a blanket hands-off policy for executives and senior management but, is it really their fault when a data breach occurs? Apart from the CIO, they know little about threat prevention and security best practices and should not be sacrificed as a PR exercise i.e., to show how seriously the company reacts to security failings.
BUT, if CEOs deliberately hamper IT by restricting budgets or failing to advocate a security-first culture throughout the company, then throw them to the wolves. If losing their jobs (a difficulty in getting the next one is an obvious result) is not enough then perhaps a public flogging followed by a long prison term?
But, seriously, apart from a glaring lapse in security implementation, how are executives responsible for an employee clicking on a phishing link, even after months of security awareness training? For CIOs, the role involves technical experience, and making them the scapegoat is not a wise move, considering the scarcity of professionals in cybersecurity and related disciplines at the moment.
Of course, CIOs must rely on their staff to perform according to qualifications and shouldn’t have to monitor or check the work carried out. It’s not feasible to check everything in a tech environment, and CIO is a management position, implying necessary delegation.
In some countries, if you’re the major of a town or city, include environmental health as part of your remit and someone dumps toxic waste in the river, you lose your job. Why? You didn’t dump it or sanction it. It’s this type of logic that seems to prevail in the world of data breaches.
Let’s look at a few examples of major data breaches and who got blamed. Given that major breaches occur every month, I’ve selected a few where blame was assigned or implied by the actions of the company.
In August 2019, Imperva, an Israeli cybersecurity company (cyber…how embarrassing for them…) disclosed information about a ‘security incident’ that impacted a subset of customers. An official update from Kunal Anand, CTO (and provided by CEO Chris Hylen on their official blog), indicated that a hacker stole data from a database snapshot used to test AWS functionality internally. The computer instance created contained an AWS API key that allowed access to the snapshot. It was stolen…
Anand was CTO of his own company, one that was acquired by Imperva. He is still Imperva’s CTO. Hylen is still listed as Imperva’s CEO on LinkedIn (not on the Imperva site so update your profile, Chris) but handed in his resignation 11 days after the breach. It was accepted two months later. Did Hylen fall on his sword? Was he forced to resign to try and offset reputational damage? Speculation abounds but the fact remains that the CEO clearly did not test AWS database solutions himself. As for the test process, who populates a database with live data rather than…yes, you guessed it, test data. It is the cavalier attitude to customer data that’s at fault here, yet the CEO was blamed. Did the CEO define the testing criteria, sounds like a job for the CTO, or his subordinates to me? What do you think?
In May 2017, the personal financial information of almost 150 million Americans was compromised in the Equifax data breach. This was ultimately caused by a delay in installing an Apache Struts patch, released the previous March. Doesn’t sound like the CEO’s problem, does it?
Richard Smith, the CEO, resigned in September 2017, but with a compensation package (nearly $20m in bonuses) that dwarfs the single breached user settlement. In July 2019, Equifax agreed to a settlement of $575m but not exceeding $700m, entitling affected customers to free credit-monitoring or $125. If you opted for the $125, Equifax is now considering retracting that offer. Real nice, Equifax.
In July 2019, Capitol One was hacked by a former Amazon AWS employee, Paige Thompson. She obtained the personal data of more than 100 million people and was captured by the FBI. Case closed?
The official website statement is vague, to say the least, and doesn’t state the cause – other than ‘unauthorized access’. Other sources refer to a ‘misconfigured firewall’. For detail, Krebs on Security came up with the goods, a misconfigured opensource WAF (Web Application Firewall) was involved. “In Capital One’s case, the misconfigured WAF for whatever reason was assigned too many permissions, i.e. it was allowed to list all of the files in any buckets of data and to read the contents of each of those files.” As Krebs pointed out, this is a well-known exploit – SSRF (Server-Side Request Forgery).
Did the CEO, in this case, fail to configure the WAF correctly? Was he even involved? Nope, and he didn’t resign either. The culprit was caught, and it seems that no one cares who misconfigured the firewall.
No breach list is complete without referring to Target, a beloved family institution in the USA. As we all know at this point, the 2013 Target hack was caused when hackers exploited network credentials from a third-party HVAC service provider. Why did this company have remote access to the network? Why was it connected to Target’s payment platform? Target ended up settling for $18.5m, divided among 47 states. In this case, in May 2014, both the CEO and CIO resigned. They must have collaborated in assigning network permissions to outsiders. I don’t think so.
Bias And Punishment
When a breach occurs and is announced (according to regulations), the public and the media demand answers and someone to blame. Based on the examples above, it’s senior executives that pay the price; non-executives (including IT) are rarely accused if no criminal intent is involved.
To offset reputational damage, the Company (capitalized to indicate the impersonal nature of it all) must perform some damage control. Enter public relations experts stage left. Will firing the responsible party be enough? “No, they say, the public will always empathize with the worker. It must be a tie-wearing executive, the higher in the organization, the better.” It’s for this reason, more than any other, that CEOs and CIOs get the chop. THEY are responsible for everything that happens in the company and shareholders, the public and the media demand they take the blame. Unfair? Certainly, but it should motivate them to take a more hands-on approach to operations rather than rely on delegation.
In addition, ignoring public and media bias, shouldn’t everyone be responsible for their actions and pay for careless and especially for deliberate security errors?
If working on company-owned equipment and you click on phishing URLs, releasing malware, ransomware, or another security threat onto the network, what happens then? As it stands, most HR professionals will say “Nothing, lack of technical knowledge is not grounds for dismissal.” They will also state that “Security is IT’s problem.”
Of course, it is, and IT can handle it, as long as we have the budget to do so. We can install every security product available to protect against internal and external threats and lock down the network completely. It could impact productivity in other departments, but that won’t matter as much. We are secure against all possible threats, with dedicated IT staff assigned to each employee, monitoring emails and online communications as they occur… It’s the only way.
Alternatively, companies could foster a security-first culture, with compulsory security awareness training for all, activity monitoring on every computer and penalties (including dismissal) for misuse of company property. “If unsure, don’t click it or open it. Send it to IT.” Unless a culprit is caught by law enforcement, senior executives are first against the wall when the revolution (or a data breach) comes; surely, this is sufficient incentive to prioritize security?
Finally, why not blame the people whose data is affected by breaches and hacks? We are not products, and our data must remain private. It isn’t. Aside from hacking, Big Tech is equally dangerous. Why is Google gathering medical data without permission from patients or doctors? Facebook’s consideration of sharing user and patient data with medical institutions, not to mention their appalling privacy record.
The only real way to protect ourselves is to wipe our online identities and related data and destroy all smart speakers in our homes (I say our-I’ll never allow one until privacy concerns are eliminated). Perhaps we should all set up post office boxes and alternate identities for activities that take place online? At least we’d protect our home addresses and related data. What do you think? Who should be blamed and punished for a data breach, the responsible party or a scapegoat designed to show how seriously the company takes security? If they cared about security, the breach wouldn’t have happened in the first place…and IT can only work with the tools they are allowed purchase.