IP EXPO: Responsibility and blaming the victim

When cyber-criminals breach a company why do we do often blame the company?
When cyber-criminals breach a company why do we do often blame the company?

The issue of responsibility figured heavily in today's panel on the future of cyber-security at IP EXPO Manchester.

Dr Daniel Dresner, a consultant and lecturer in information and cyber-security at Manchester University, started his chairmanship of the panel by saying how he hopes to see the day when “people get as angry with the cyber-criminals as we do with suppliers,” vendors and service providers.

Essentially, when breaches do happen it's often the victims that get blamed and perhaps less so the perpetrators. 

Lee Barney, head of cyber-security at Marks and Spencer, said that if someone broke into a head office or a data centre to steal thousands of customer records, the company wouldn't be blamed for that, so why does “it tend to be the person who holds the data who is held to account?”

“We shouldn't forget it's the criminal that committed the criminal act,” he said. If someone steals a tractor, they get blamed, not the owner of the tractor, so why doesn't that principle apply in the realm of cyber-security?

Paul Ducklin, chief technologist at Sophos, countered this argument by saying that customer data isn't a tractor. 

Data is a commodity for a company, it's literally a way of making money. Whenever a major company holding massive amounts of customer data is breached, “there's always these giant excuses”, but “if you're doing this for a commercial reason then it's your responsibility”. 

Until organisations realise that this "rampant" collection of data means taking responsibility for it, “I think people have the right to point the finger”.

We have to get away from the mindset that plagued companies like Talk Talk, added Ducklin, who said that the law didn't require the company to encrypt its customers' data, so it didn't.

Still, the individual consumer can't get away that easily. Flash is not a piece of software considered particularly secure by the wider cyber-security community. It's well known to be full of vulnerabilities, so those in the know have little excuse when they're attacked through a vulnerability in the Flash player.

Android and Apple users have done without Flash for years now - why even use it? 

Said Ducklin, “When a risk gets too big, it's our fault for not doing more.” 

Dresner appeared to agree, telling an audience member who had to sort out her elderly mother's computer, “It's your mum's fault for buying that computer.”