Expert opinionFrontpage special

Breaches happen. Stop the Blame Game, and Foster Transparency

No-one wants to suffer a data breach and the potential havoc it can wreak. Unfortunately, there is a strong tendency to blame the victim of the breach and change behaviour accordingly. That’s why 83 per cent of consumers pause or end their spending with a company after a breach has been reported.

Looking back at some of the UK’s most notorious breaches, we can see the impact on company performance. Whether it is Dixons Carphone exposing 14 million personal records, including over five million payment details, or Equifax leaking 15 million UK customer records, resulting in a $575 million fine, there are some major examples of data breaches having a permanent impact on customers and their relationship with the organisation in question.

And it never stops: according to research, there were 114 publicly disclosed security incidents in October 2023, accounting for 867,072,315 compromised records, bringing the year’s total to over 5 billion. With such uncertainty in the market, how can we foster trust and transparency? It is clear that no-one is impenetrable. So, when looking for a vendor or a partner, we ought to scrutinise their ability to respond effectively and transparently when a security incident occurs. Punishing a company for suffering a breach only encourages them to conceal any security issues that might arise; instead, we must foster understanding and information sharing to build best practice.

Moving away from the blame culture

When it comes to individual employees, we are gradually seeing a more understanding approach adopted by organisations. Once upon a time, clicking on a phishing link or replying to a spoof email would lead to condemnation towards the victim. However, security professionals today tend to understand that malicious phishing attacks are purely a numbers game: if bad actors cast their net widely enough, eventually someone will fall for it. And as the methods employed become ever more subtle and believable, it’s fair to recognise that human trust and human error play such a big role in our risk environment.

The alternative is that, if victims fear punishment or reprisal, they are much less likely to own up to clicking on a dodgy link and may go to great lengths to cover the incident up. Whereas, in a culture of empathy and understanding, that same employee will happily self-report incidents, admit to making a mistake and learn from the experience.

That’s important because the time it takes to flag an incident and the overall impact it can have can vary dramatically. Basically, the sooner a breach is acknowledged, the less damage done. IBM released research earlier this year that showed that early detection is one of the most critical factors in limiting the damage caused by a breach.

Embedding Trust and Understanding

Many organisations have enjoyed success at an individual level when it comes to endorsing a policy of trust and transparency, however, they do not always translate the same approach to partners, vendors and other third parties. Breaches can happen to any organisation, even if they have taken commercially reasonable precautions, so getting rid of an otherwise reliable partner because of a breach may bring additional headaches further down the line. It is also vital to acknowledge the distinction between a company that endures a one-off attack and a company that regularly engages in risky or negligent behaviour. 

Compliance frameworks and security benchmarks have a role to play in assessing any third party’s preparedness. And, if a breach does occur, it’s also crucial to know what happened and how it was handled as soon as possible. How we choose to communicate about our security incidents says much about how far we can be trusted. Much as we expect employees to self-report cyber threats, we should also expect partners to be transparent about the challenges they face, making it easier for us to assess their security capacity.

The more data we have regarding attack tactics, techniques and procedures (TTPs), the better chance we have of protecting against them. Rather than punishing partners for becoming a victim of a cyberattack, we should instead be urging them to be more open, transparent and honest for a better outcome in the long run.

Working towards a secure future

Embracing a more empathetic stance towards security breaches does not imply that organisations should neglect their essential responsibilities. On the contrary, businesses must consistently assess the compliance status of their partners and vendors. Demonstrating continuous compliance and producing favourable security reports and attestations, will remain pivotal in confirming that organisations are handling their data with care.

However, despite thorough efforts, even a meticulously managed organisation can fall victim to a breach. It is imperative to move away from the tendency to blame the victim. Instead, we should extend the same understanding to each other as we do to employees who act in good faith. Recognising that perfection is unattainable, fostering a culture of honesty and transparency will ultimately benefit everyone in the long term.

Print Friendly, PDF & Email
Matt Hillary
Chief Information Security Officer at Drata | + posts

Leave a Reply

Your email address will not be published. Required fields are marked *