Don’t shoot the messenger because Blame is a complicated Game
To some people, the topic of “Data Protection” is seen as a dull one and something they’d rather not think about. Yet in one week we have seen almost 1Million US citizens have their personal medical data exposed for almost 3 weeks on the internet. The cause; Human Error.
We also discovered this week that a HIV clinic in Singapore has exposed the details of almost 14,000 people suffering from this disease. The information was contained in a national database which all sufferers are required to register on, and it is this database that has been leaked. But whilst we might be hearing this today, for the first time it was actually leaked at the beginning of the year. The cause; a US Citizen who had access to the information and is alleged to be using it for fraudulent purposes (allegations the individual denies).
But irrespective of the cause of the above breaches, the fact remains; There are hundreds of thousands of people who now are at the risk of extortion, blackmail and fraud. This is a worrying trend that isn’t a ‘2019’ issue. It’s been an issue that has been growing over the last 10 years, so how can we combat this growing problem and who is really to blame for these breaches?
The Blame Game
Ultimately someone is clearly at fault. But I firmly believe ‘blame’ and ‘perpetrator’ are two distinctly different things.
The Perpetrator is the person who exploited the lack of security. The Perpetrator is the person who conducted the breach. But who is to ‘blame’? In my opinion the ‘blame’ needs to be more inclusive of and on the head of the organization. Usually (not always) it is at the head of the organization that we see the lack of investment in security and data protection. A lack of awareness to the risks. A lack of investment in training. A lack of investment in technology. A lack of investment in resources. A lack of investment in time.
The Smoking Gun
It is all too easy to lay the blame at the door of the person who caused a breach or who took actions which resulted in a breach (usually deliberately for personal or financial gain). And whilst I’m not letting these people off the hook, I am saying that in order to improve our approach to Cyber incidents and Data breaches, we need to take a closer look at ALL of the factors surrounding the event.
At Agenci, if a client experiences a breach we don’t just point to the ‘Smoking gun’ and exclaim we have found the issue! We conduct a true ‘Root Cause Analysis’ (RCA) to establish all the steps that led up to the breach, and sometimes those steps lead all the way back to the Boardroom.
Don’t Shoot The Messenger
When approaching an incident, or data breach our advice would be to look at the whole story. Don’t focus on the person at the end of the chain. They are like a messenger, and the message could be “This could have been worse” or “You caught me, but what else are you missing?
You must deal with the ‘Messenger’ however you deem appropriate, but every incident, every event has the potential to teach us something greater than the event itself.
Take the opportunity and learn, not just from your own incidents. But those of others. Could YOU be the next headline we’re blogging about?
Put Data Protection and Cyber Security ON the agenda, before it BECOMES the agenda.
Agenci Information Security is responsible for protecting businesses from cyber threats, cyber-attack, internal threats and business outages. Agenci Information Security ensures clients systems are secure and provide peace of mind through a range of proven specialist information security solutions.
Please contact us here to speak to a member of our team.