Blog / Let’s Talk About Responsibility
There’s a difference between what we should and what we must do.
As a professional cybersecurity technician I spend a fair bit of time roaming the internet to find news articles and press releases about exploited vulnerabilities. Keeping an eye out for the latest news, tricks, and traps is an essential part of the job.
News about cyberattacks on businesses is actually a relatively new thing phenomenon; just over a decade ago we rarely saw news articles about companies being attacked by hackers, and what we did hear was far less frequent. Of course, it’s not because these attacks didn’t happen, but rather because most companies didn’t go public about them. The only time cyberattacks hit the news was when the target company was large, well-known, and someone spilled the beans. It didn’t make any difference if people’s personal data had been stolen; it was the reputation of the organization, or rather damage to that reputation, that was newsworthy.
So, what changed? It’s nice to think companies recognized they should inform clients when hackers gained access to their information, but that would be wishful thinking. No, the real answer is just that legislators realized business’s were protecting their bottom lines more than they were their clients information and had to compel them to announce when cyberattacks struck personal data. In other words it became illegal not to go public about breaches, at least in some circumstances, which is ultimately a good thing even if it’s done out of a sense of obligation rather than responsibility.
Every organization has a responsibility to the people who purchase their goods and/or services. For a municipality, taxpayers are the customers. Now it’s true that if news about someone in your organization making an egregious error becomes public can negatively impact your reputation, but—and this is speaking from years of personal experience watching companies repeatedly dodging hard questions about their cybersecurity to protect their rep—organizations that publicly admit to making a mistake often come out of it with a better reputation, or at least a less damaged one, than those that are obviously dissembling to save face before getting called out for it.
This quote comes from Measure for Measure; “Condemn the fault, and not the actor of it?”
For more information about best practices for handling cybersecurity breaches, contact a TRINUS cybersecurity professional to get yourself some stress-free IT.
Be kind, courtesy your friendly neighbourhood cyber-man.