The cyber threat landscape is rapidly evolving, which means that businesses are increasingly at risk from a vast range of sophisticated threats, writes David Smith, CISO at the data security and eDiscovery software company Nuix.
In fact, since the opening of the National Cyber Security Centre (NCSC) in February, the UK has been impacted by 188 high-level attacks which were severe enough to require NCSC involvement. That’s not even counting lower level attacks. The world today is besieged by large scale attacks which are increasing in boldness. This leads many to the question, who is responsible for these attacks? Of course, the first natural response is to think of the perpetrator- were they a criminal hacker, state-sponsored, and automated botnet or even a malicious insider at an organisation. It’s within our nature to want answers. Attribution is important, especially when we consider the criminal and judicial consequences. A compromised organisation must also accept and acknowledge the facts surrounding the incident, especially when external customers and clients are involved.
Deny
When a data breach first comes to light in the media, organisations often instinctively distance themselves from taking the blame, or even taking responsibility for failing to safeguard sensitive data and systems. The most common excuses are often: “The breach really wasn’t that serious;” “The data taken isn’t that sensitive;” and the even more popular “Our security is comparable to others in the industry.”
With GDPR on the horizon, and recent enforcements by the Information Commissioners Office (ICO), the UK is finally taking data protection seriously. The ICO has placed strict fines on private companies, local councils, police forces and charities for mishandling data. There are fewer places to hide now for those failing to take responsibility for a data breach.
Don’t shy away from responsibility
Corporate responsibility is not a new concept, and it goes beyond the world of IT. Following the 2010 Deepwater Horizon oil spill, BP were quick to begin pointing fingers, pushing the blame onto drilling company Transocean ltd. Playing the blame game in the wake of one of the largest environmental disasters of recent times and distancing themselves from responsibility was arguably in poor taste. Corporate responsibility can and must be handled more appropriately. When Cadbury were dogged with rumours of worm-infested candy bars, the company responded by providing the public with regular updates on how they were improving their manufacturing process. Avoiding responsibility and failing to tackle a situation with honesty can lead so substantial legal costs and also irreparable harm to brand reputation.
Honesty best policy
Around seven or eight years ago, when companies such as Google and Adobe suffered serious data theft as part of the Operation Aurora cyber-attacks, Google’s security team were admirably clear and honest about the fall-out from the attacks. They outlined how the attacks took place, how the attacks were uncovered and the steps that were taken to overcome it. This helped an innumerable amount of companies to deal with similar situations.
Of course, no company wants to admit that they’ve been compromised, but when an organisation is holding sensitive information, they must be fully forthcoming with clients, customers and employees about the aftermath. Furthermore, when a victim organisation is open and honest about what has occurred, this can have untold benefits to the wider security community and help with future efforts to protect sensitive data. Playing the blame game can only impede efforts, and benefit the criminals who took the data.
