{"id":14977,"date":"2014-07-10T16:13:54","date_gmt":"2014-07-10T16:13:54","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2217"},"modified":"2019-11-15T07:16:15","modified_gmt":"2019-11-15T12:16:15","slug":"who-is-really-to-blame-for-cybersecurity-breaches","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/who-is-really-to-blame-for-cybersecurity-breaches\/14977\/","title":{"rendered":"Who is Really to Blame for Cybersecurity Breaches?"},"content":{"rendered":"<p>The vast majority of IT organizations today have a big problem: the rest of the company considers them to be 100% responsible for cybersecurity.\u00a0 Holding them accountable for some aspects of cybersecurity makes sense, but they certainly can\u2019t be considered\u00a0<em>wholly responsible<\/em>.\u00a0 In fact, IT staff are really in about the same position as police officers:\u00a0while cops can discourage criminals and thwart some crimes, they certainly can\u2019t be considered responsible for every successful crime that occurs. Nor is it their fault that so many people leave their doors (or mobile endpoints) unlocked and become unwitting targets. And yet, organizations very often fire someone in IT, if not the CIO, when breaches occur.<\/p>\n<p style=\"text-align: center;\">\n<\/p><p>Security isn\u2019t necessarily a hard problem to solve. If IT had complete control over the organization, they could easily ensure there were never any breaches: dig a moat around the company, throw in a hundred alligators and prohibit anything or anyone from coming in or going out. It\u2019s simple, albeit medieval.<\/p>\n<p>Of course businesses cannot function with this sort of \u201cisolation solution\u201d. It\u2019s impossible for any enterprise to succeed today without multiple ingress and egress points for people, information and communication. And with all those moving parts, there are many things IT can\u2019t control. One solution \u2013 come up with an equation that helps gauge the degree IT can or should be held accountable for cybersecurity.<\/p>\n<p>Insurance companies have created good models for this: when examining a traffic accident for example, they determine precisely what percentage of blame each element involved in the crash is responsible for. The key factors might include: weather (5%), worn tires (12%), the driver\u2019s inexperience (17%) and the pig in the intersection (66%). If we actually applied this sort of formula to any given breach of a company, we would probably have to conclude that IT is <em>less than 20% responsible<\/em>.\u00a0<\/p><blockquote class=\"twitter-pullquote\"><p>IT departments are like police: they can prevent bad things, but only some of \u2019em.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F8DjW&amp;text=IT+departments+are+like+police%3A+they+can+prevent+bad+things%2C+but+only+some+of+%26%238217%3Bem.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>A list of other factors to consider when assessing fault in a cyber breach include:<\/p>\n<ul>\n<li>Executives don\u2019t support employee cybersecurity training<\/li>\n<li>Marketing has launched new \u201ccustomer portals\u201d, greatly increasing the company\u2019s attack surface<\/li>\n<\/ul>\n<p>o\u00a0\u00a0 The data captured from these portals is valuable to cyber-criminals<\/p>\n<ul>\n<li>Executive staff are regularly spear-phished<\/li>\n<li>Mobile policies are regularly violated<\/li>\n<\/ul>\n<p>o\u00a0\u00a0 Employees download free apps from suspect sources<\/p>\n<p>o\u00a0\u00a0 Employees connect personal mobile devices directly to the business network<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/07\/06020039\/800-2-1.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-2219\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/07\/06020039\/800-2-1.jpg\" alt=\"800-2\" width=\"800\" height=\"534\"><\/a><\/p>\n<p>\u00a0<\/p>\n<p>IT rarely has the ability to constrain any of these activities, yet every single one of them compromises the company\u2019s security.<\/p>\n<p>Such a scenario is unfair to IT. But the bigger concern is that as long as IT acts as the \u201cfall guy\u201d, none of the other departments in the company are taking responsibility for the security ramifications of the choices they are making.<\/p>\n<p>Here are a few suggestions for fixing the problem:<\/p>\n<p>1.)\u00a0\u00a0 Publicize the responsibility equation and identify the departments and individuals who had some involvement in a breach. (A side benefit: it might actually embarrass people into following policies.)<\/p>\n<p>2.)\u00a0\u00a0 Add a question at the bottom of every IT request that reads:<\/p>\n<p>What effect will your request have on the company\u2019s level of cyber security?<\/p>\n<ol>\n<li>Increase<\/li>\n<li>Decrease<\/li>\n<li>Neutral<\/li>\n<\/ol>\n<p>At first, people may not understand the question and will leave it blank. When they learn the field is mandatory, they will choose \u201cneutral\u201d. IT can then step in and explain that security risk usually increases when expanding a network or collecting and storing additional valuable customer data.\u00a0<\/p><blockquote class=\"twitter-pullquote\"><p>Each employee of a company shares responsibility for its cybersecurity.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F8DjW&amp;text=Each+employee+of+a+company+shares+responsibility+for+its+cybersecurity.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Over time, employees can be re-trained to understand the true definition of a company\u2019s cybersecurity posture. \u201cSecurity posture\u201d is less controlled than it sounds. Yes, it\u2019s formed by hardware, software and the hopes and dreams (aka, \u201cmandated policies\u201d) of the IT organization, but also shaped by the constant security choices each employee makes on a daily basis.<\/p>\n<p>\u00a0<\/p>\n<p><em>Cynthia James is Director of Business Development, CISSP, for Kaspersky Lab\u2019s technology integration group.\u00a0 Her career in IT spans 25 years with eight years spent in the anti-cybercrime arena.\u00a0James\u2019 speaks often on cybersecurity topics and is the author of <\/em><a href=\"http:\/\/www.amazon.com\/Stop-Cyber-Crime-Ruining-Your\/dp\/0615789714\" target=\"_blank\" rel=\"noopener nofollow\"><em>Stop Cybercrime from Ruining Your Life!\u00a0 Sixty Secrets to Keep You Safe<\/em><em>.\u00a0<\/em><\/a><\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>IT departments take most of the responsibility for the company cybersecurity. However, how fair is it to charge them with 100% of responsibility for everything that happens there? Cynthia James shares her thoughts on this matter.<\/p>\n","protected":false},"author":392,"featured_media":15926,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[282,2128,1091],"class_list":{"0":"post-14977","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-cybersecurity-breaches","11":"tag-it"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/who-is-really-to-blame-for-cybersecurity-breaches\/14977\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/who-is-really-to-blame-for-cybersecurity-breaches\/14977\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/who-is-really-to-blame-for-cybersecurity-breaches\/14977\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/392"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14977"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14977\/revisions"}],"predecessor-version":[{"id":30828,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14977\/revisions\/30828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15926"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}