December 8, 2020 in
Maybe Employees Aren’t Always To Blame: Assigning Cybersecurity Responsibility After a Cyberattack
Recently, I read an article by Oz Alashe with a pretty bold title: “Stop saying employees are the weakest link in cybersecurity.” It’s a great read, and I agree with a lot of it. But it did make me think: Where does cybersecurity responsibility ultimately lie? And is there even an easy answer to this?
Because even when we look at how the same cyberattack impacted multiple companies, the responsible party will be different in every scenario. So here I’m interested in exploring all possible parties that can be held accountable after a cyber attack.
Let’s get this one out of the way first. After all, as the article by Alashe states, non-IT employees have been a really easy target when it comes to the cybersecurity blame game. But blaming the employee who clicks a malicious link or uses the same password for everything isn’t necessarily fair or accurate.
Being cybersecurity unaware isn’t a state someone chooses to be in. It’s something that happens when you’re not surrounded by cybersecurity knowledge. It’s easy for people who read articles about online security all day, or practice it to a T, to point to a person and say “They don’t know anything about cybersecurity, so of course they’re to blame.”
But let’s take a step back. Why doesn’t that person know anything about cybersecurity? Usually these employees are less technical and their jobs have nothing to do with security or IT. It’s not up to them to become independently cybersecurity aware. It’s up to those around them (their company as a whole, security personnel, MSP, etc.) to give them the tools they need to understand what a security threat is.
This is really why it’s not OK to lay blanket blame on employees when a cyber attack occurs. You need to peel back the layers:
- Did they have the training to recognize this threat?
- Do we have good security processes in place, and were they made aware of them?
- Have we implemented tools that could have blocked this threat from the beginning and protected this employee?
There are so many people involved in protecting a company. If an employee was well-trained and actively disregarded procedure resulting in a breach, that’s a problem. And that’s a situation where we can easily assign blame. But in many cases, the cybersecurity responsibility relies on other parties. And in a majority of cases, they share the blame.
Now let’s go down the list of all of the other parties that bear responsibility for a cyber attack.
Just a friendly reminder that the hacker gets 100% percent of the blame for initiating the cyber attack in the first place. What we’re talking about here is “Who was most responsible in preventing this?”
OK, back to the real list.
The first question a lot of security professionals ask themselves after an attack: “Did our security stack fail?” And if so, the second question is: “What part of the stack failed?”
Good cybersecurity is made up of layers. You’re not choosing between antivirus and a firewall. Just like you don’t choose between a password manager and content filtering. This is because each of these protections guard you from different types of threats or prevent the same attack at a different layer.
But what happens if the software that was supposed to mitigate a threat didn’t? It’s usually easy to determine if the main culprit of a cyberattack was technology failing you. You’re able to check reports and logs to see what happened.
But sometimes the issue might not be the technology itself, but rather a lack of technology. And who do we blame for that?
Head of security
CISO is a hard job. Sometimes, you’re going to exit that role very suddenly post-data breach. Just ask these 7 ex-CISOs. They all worked for major enterprises and took the fall for a breach.
Some of the CISOs on that list were guilty in handling the situation poorly after the actual cyberattack. But others have been fired for things like:
- Lack of procedure
- Cybersecurity neglect
- Hiding vulnerabilities
- Ignoring information security advice
One CISO even cited not having an adequate security budget. In that situation, the true person at fault is the CEO. However, it’s up to heads of security to make the case and convince other members of the C-suite of the importance of investing in security.
When you don’t invest (and invest wisely) in cybersecurity solutions to protect your company, you’re much more likely to find yourself the victim of a data breach.
A little while ago I wrote a blog about the biggest data breaches of 2020. In at least two of those breaches, sensitive information was accidentally indexed on the web. One of those breaches (leaking 5 billion records) occurred because an IT employee disabled a firewall for 10 minutes.
This is a flagrant example of cutting corners that should have never happened. Cybersecurity policies are in place for a reason.
But since we’re looking at the whole picture, let’s question why this employee thought it was alright to disable that firewall. Were they acting on their own, trying to finish up a shift? Or was the culture around cybersecurity at that company incredibly lax? Maybe they’d seen another employee do something similar in the past. Maybe there weren’t clear policies in place around situations where it’s actually OK to disable a firewall?
That last one is a bad example. It’s never OK to disable a firewall. But you get the point. How seriously an individual IT employee takes cybersecurity has everything to do with how seriously that company takes it. There are exceptions, but if it’s not part of your culture, that’s a problem.
And that leads us to…
The training employees received
Everything really boils down to training. At companies where cybersecurity training isn’t even thought of, the blame really lies with the C-suite for not making that mandatory.
But sometimes the issue isn’t a lack of training. It’s poor training. Cybersecurity training should be somewhat comprehensive. It should take employees through real scenarios, and it should explain cybersecurity concepts in plain English.
Too often, cybersecurity training is all about scare tactics. It doesn’t focus on the importance of having a process for everything, as that’s a huge aspect of security.
Here are a few things that good cybersecurity training should cover:
- What information is and isn’t OK to share outside the company or even outside the department
- Who should have access to which platforms
- Proper password hygiene
- How to report suspicious activity (and who to report it to)
- Examples of common traps employees fall into (e.g., phishing emails, malicious ads, ransomware attacks, etc.)
And training isn’t a one-and-done type event. It’s ongoing. As an example, a lot of companies (DNSFilter included) use third parties to send mock phishing emails to employees to both increase and gauge awareness. Companies should do these types of tests routinely to continuously remind employees that these threats are out there.
Training should be specific to your company and the departments getting training. The real blame-worthy party for a lot of companies is insufficient training.
No one wants to be the victim of a cyberattack. But just because you suffer one, faulting certain parties isn’t always the best route to take. Threats are always evolving, and cyberattacks should be a learning experience for everyone involved.
Understand the root cause, but avoid actively placing blame on people unless they’ve demonstrated malicious intent or total negligence. This is an opportunity for you to say: “What could we have done better?”
Do you have all the tools you need? Are your budgets sufficient? Does your company culture value security? When was the last time you held a training session? In a perfect world, you’re asking yourself these questions without having encountered a cyberattack on your company. So put it in action as soon as possible, or be ready to shoulder some of the blame.
Interested in hearing more on this topic? Check out our upcoming webinar with MYKI all about humans and the weakest link in cybersecurity.