The Cybercrime Blame Game: It’s Time to Unite the Industry Against a Common Enemy.

The need for the cybersecurity industry to work together in order to combat the rising threat of cybercrime.

By Brendan Kotze, Chief Executive Officer at Encore

When someone breaks into a house, who would you hold responsible: the intruder or the victim? Naturally, most of us wouldn’t blame the victim for not having secured their house well enough – we’d blame the thief for breaking in.

Why then, do we not hold this same view when it comes to cybercrime?

When a cyber-attack occurs, people are very quick to point fingers at the victim, the general view being that the business failed to implement the necessary security practices. However, cybersecurity is a complex and integrated problem that requires total visibility into every control in order to find a solution; there isn’t a switch that automatically makes you secure.

It’s not as simple as locking the few doors and windows on your house; it’s the equivalent to deadlocking and placing bouncers on thousands of inconspicuous endpoints across the network.

This isn’t to say that all organisations are blameless; poor cyber hygiene still exists across industries that needs to be addressed with haste. But we need to break the habit of playing the blame game, and work together against a common enemy.

A single breach triggers an enormous fallout.

To put this issue into perspective, we can refer to one industry in particular that frequently finds itself in the sights of global cybercriminals: the world of finance.

This lucrative sector not only faces relentless bombardment from attackers, but they must also then manage the equally damaging repercussions once customers and partners catch wind of their predicaments.

Banks especially face a fall in share price once an attack becomes public knowledge. They also risk losing customers if there is a perceived risk to personal finances and private information. At the end of the day, banking is built on trust and once that trust is broken, it’s extremely challenging to re-establish.

Beyond their customers, banks also face fines from regulators and privacy boards, and if a cyber-attack is not handled with care and proper disclosure, employees lose trust in the organisation.

The victim of cybercrime is therefore impacted from multiple angles, whether that be their consumer base, internal staff, regulators, the wider community, or even insurers who could refuse cover. Ultimately, when it comes to a cyber-attack, there is a shared responsibility with more than one party at fault, just as there are more victims beyond the original target. For example, if a bank is charged with higher insurance premiums, as is often the case post-breach, this inevitably trickles down to the consumer in the form of increased banking charges.

More victims, more responsibility

When personal information is stolen, whether that be banking details, names or addresses, this often then translates into other forms of crime such as identity theft, false transactions and even physical crime. For example, a criminal might be able to gain access to a personal email or social media account as a result, which can then be used to identify when a victim is away from home, leaving the house vulnerable. Stolen banking information can also result in indirect monetary fraud when the information is used to legitimize phishing emails.

It is easy to focus the blame on certain individuals, such as data processors, when something goes wrong but there needs to be more back-end support from a cybersecurity perspective, as well as support from a governance standpoint given how highly regulated this particular industry is.

Cybersecurity is already considered a grudge purchase given the astronomical costs of running it, without an easily demonstrable ROI in the absence of a breach. As with all investment, there needs to be a round-the-clock business incentive. However, since cyber-attacks are now inevitable, we can argue the incentive already exists. It’s just a case of translating that to the organisation.

What are the next steps?

Victim blaming and shaming needs to be addressed as it simply compounds the issue. We need to accept shared responsibility with mature accountability in place in order to solve this complex issue.

At the end of the day, it’s critical infrastructure within the economy that’s being targeted, and even though they are private institutions, the impact of a cyber-attack creates devastating ripple effects beyond the company itself and its clients, as we’ve seen with attacks on businesses such as the Colonial Pipeline incident in 2021. The regulatory and government support (dare I suggest financial rebates and incentives for responsible security spending) behind these types of organisations should therefore match the risk at a national level.

When some of the world’s largest and most established organisations are being targeted and breached – their security systems armed to the teeth with advanced technology – it’s clear that attack campaigns are becoming more sophisticated by the day. We shouldn’t be so quick to assume that businesses are in the wrong. If the necessary security practices are not in place, the right authorities will and should address non-compliancy.

In the meantime, we should be working together as an industry to support these businesses and turning our attention to the real enemy that is already planning its next attack.

About the Author

Brendan is the CEO of Encore, the unique industry tool that combines Cyber Asset Attack Surface Management and External Attack Surface Management. It provides complete visibility over an organisation’s estate to present a consolidated view of your security posture.

Brendan brings more than 13 years of progressive technical and business expertise, and his knowledge and methodologies have advanced through years of fundamental network communications work.