Unpacking the Cybersecurity Double Standard
Why does a double standard exist when it comes to cybercrime? Although the comparative environment of a physical crime, like a robbery, and a cybercrime, like stealing credit card numbers, are different, the crimes are similar in many ways.
Criminals steal money everyday, in every format. However, the way the public responds to these crimes, especially regarding the attribution of blame, is different.
If Bonnie and Clyde shoot up a bank and steal millions of dollars in cold hard cash, it’s a national event, but people do not regard Bonnie and Clyde as solely responsible for the robbery. Causes include the economy, weak bank security practices, the banks foreclosing on people’s homes, and other societal outcomes.
In modern times, if someone shaves pennies off millions of online banking transactions and reroutes this money to their account, becoming a multi-millionaire in the process, few people take an interest, and everyone blames the hacker, or some C-level executive at the bank.
To bolster security, employees work together to strengthen business processes and practices, and to ensure the safety of their customers’ data. Why then, are specific C-level employees, like Susan Mauldin of Equifax, blamed for their company’s data breaches? Surely more people can share the blame, especially the hackers?
Equifax: The Dangerous Double Standard
Equifax is one of the top American credit reporting agencies. The personal and sensitive data of approximately 150 million Americans was stolen from May to July 2017 and reported in September of that year. Waiting 2-4 months to report the loss of sensitive data, just because a cybercrime occurred, is a severe issue. The main issue, however, runs much deeper than this.
While few people in Equifax were blamed for this breach, blame should be attributable to more people, like the hackers and other employees in Equifax. While the company could have implemented more robust infrastructure, or improved communication flows to mitigate hacks before they occurred or to respond preemptively better, the company is not solely at fault. This was a widespread issue that no one person could control.
Equifax’s internal conduct was exposed after Congress released a report on the breach. IT and security at Equifax were kept separate, leading to a lack of communication within the organization. This separation started in 2007, ten years before the hack, as the Chief Security Officer and Chief Information Officer had a personality clash and could not resolve their differences. Had this separation been resolved, Equifax may not have waited to report the breach as long as they did.
The lack of communication is unacceptable yet common in companies worldwide. There is no standard for cybersecurity in practice. Companies should follow best practices, but every company is unique and will implement cybersecurity as they see fit. In the end, only a few people are scapegoats for such crimes, although many more people can be blamed.
Double Standards: Are They the Product of Human Error?
Human processes and interpersonal cooperation in companies large and small can improve. C-level employees who are formally responsible for preventing or reacting to cybersecurity issues must be held accountable for the actions, or lack of acting.
Still, they are not the only ones involved. While all employees must choose their actions carefully and put the organization’s needs before themselves, responsibility runs throughout the organization. It’s clear the attribution of the blame needs addressing.
It’s natural for humans to want a scapegoat in times of conflict. After all, someone must pay! Someone must be responsible! These are normal human reactions.
Cybersecurity is no different.
If an employee is accountable for a set of duties, they must be held responsible and act accordingly. Had Equifax had excellent communication between employees, and between departments, reporting the breach in May, June, or July, when the breach was occurring, the public condemnation against the organization would not have been as harsh.
Equifax learned from their mistakes. In 2018, former IBM Chief Technology Officer Bryson Koehler joined Equifax. Koehler’s mission included increasing Equifax’s security framework and compliance, instilling sustainable business practices, and emphasizing the importance of investing in modern technologies to improve data security.
Solely Investing in Technology is Not Enough to Break The Double Standard
Cybersecurity is hands-on. End-user cybersecurity practices need to be followed and implemented across organizations, from the Chief Executive Officer to the temp receptionist. Everyone has a role to play, and everyone must take part. A chain is only as strong as its weakest link, and so too are organizations.
Common cybersecurity practice double standards in the workplace include:
- Employees leaving their workstations and offices unlocked, but they would never leave their home unlocked while at work
- Employees sharing confidential work information with visitors, but they would never share information like their social insurance number or health issues with strangers
- Employees take time to respond to cybersecurity threats, but they would call the police if they found their home ransacked
Cybersecurity practices are just as essential to respond to as their physical counterparts. Employees need to act proactively to halt breaches before they occur. Once a breach occurs, the public will find out and overreact. Heads roll, and the public circus blames individuals for leaking millions of customers’ records.
The Scapegoat Double Standard
Equifax’s actions are not solely the responsibility of the Chief Security Officer. Everyone in the organization had a role to play, not just Mauldin. So why is she responsible? She is not, but the public needs a face to blame. When robbers steal money from a bank, security guards who fail to prevent the robbers from entering the bank do not go to jail.
Scapegoating occurs in cybersecurity due to pressure. Everyone is pressuring the organization involved. The public wants answers, the government wants answers, and the media wants answers. Solutions in cybersecurity are not clean and simple, though, and neither should retribution.
So how do we dole out responsibility proportionally?
The CARE System: Is It the Answer We Need?
Leading cybersecurity professionals have developed the CARE Standard for Cybersecurity. Here’s a brief breakdown of what this standard is trying to achieve:
- Consistent. Does a specific solution provide consistent results and controls?
- Adequate. Do you have the right level of controls in place based on your business’s needs?
- Reasonable. Does your solution have appropriate, fair, and moderate controls?
- Effective. Are the controls you have in place producing suitable results?
It’s no secret that the majority of large enterprises are heavily focused on achieving a high maturity level. But is this the right approach? And does a higher maturity level really mean anything without context?
The CARE system is designed to overcome these inconsistencies by relying on metrics and reports that work in line with governance processes and decision making. This outcomes-based approach drives key processes and investments based on how they impact the business in question.
How does it accomplish this? It leverages a system of continuous monitoring of these outcomes to allow for agile adjustments to cybersecurity priorities and investments.
The CARE framework has the potential to provide consistent results to businesses that adopt it, but larger change still requires the industry to reassess how it approaches cybersecurity in general.
The Solution to Cybersecurity Double Standards
Cybersecurity is all about agility, and larger companies are by their nature slower to respond than smaller companies. No company can know ahead of time if a hack is about to occur. Often, companies, like Equifax, only discover hacks and breaches after the incident has occurred.
The companies that respond quicker though incur less damage and less wrath from the public. Just like in non-cyber security situations, reacting quickly and taking responsibility leads to better outcomes.
Also, beyond active threat detection or prudent employees, companies need to adopt more transparent business processes and practices. Like data flow, communication must allow for greater cooperation between clients and companies and leaders within those companies. Keep in mind that cybersecurity activities are judged more by the company’s willingness to communicate than technical solutions. Communication is key.
The best cybersecurity systems and defenses in the world will not matter if the information is not shared, or actions are not taken to both prevent and react to breaches and hacks – look at Equifax. However, following cybersecurity best practices is the bare minimum a company should invest. Companies need to approach cybersecurity based on their needs and find integrated solutions to provide seamless security to clients and customers and within the organizations themselves.
Why? Because cybersecurity isn’t a one-size-fits-all solution. Cybersecurity is complex. Industry-wide frameworks and standards seem great in theory, but rarely work in practice. The only way we can overcome the cybersecurity double standard is by reimagining how we approach cybersecurity in practice.
How M87 Is Working to Solve the Double Standard
Here at M87, we are firm believers in customization when it comes to cybersecurity solutions. We know that two businesses are the same, which is why we work to create personalized cybersecurity solutions for our clients.
Are you looking to improve your cybersecurity systems? Do you need help determining if your current solutions are capable of protecting your business?
M87 provides managed in-house cybersecurity services and consulting services to companies interested in improving communications flows and cybersecurity practices and infrastructure. Let’s remove those double standards from your company today, and work towards a more secure future for all.