I’m going to take a possibly unpopular stance here. Forget everything you know about 21st-century offence culture. In cyber-security, it’s OK to blame the victim.
- Yes, the police should do more to catch cyber-criminals.
- Yes, the government should do more to discourage them.
- Yes, the world as a whole should work together to stamp this menace out.
But none of this is going to happen any time soon.
It doesn’t help that we have such an ambivalent attitude to cyber-crime. Stealing credit card data? Bad. Stealing confidential client data from a Panamian law firm? Good. Apparently. It’s also alright, it seems, to handle stolen goods even if stealing them is still reprehensible – or else why did Wikileaks put a searchable archive of the email data stolen from Sony Pictures onto the internet? It’s still there. It’s still – by law – private property that was taken without consent. And on the same page is a “Donate” button – so in a sense they’re profiting from that stolen property.
Last Monday I said how clever some hackers were. Which is true, but you don’t have to be clever to hack if your victim is stupid. Given that there’s a tsunami of cyber-crime going on, that the tools for doing it are available to all, and that the rewards currently vastly exceed the risks, it’s up to you to protect yourself.
If you fail to take basic security procedures, and you get hacked, it’s your fault.
If you’re the Mexican government, and you put the personal information of 93 million voters into a database which you store in the public cloud with no password protection, it’s your fault.
If you’re a “millennial” and you store your credit card PIN number on your phone, then download some malware in the hope of a free version of a paid game, and lose all your money, it’s your fault.
If your website still has a vulnerability that was first discovered five years ago, and you lose 111,000 payment card details and get fined £175k, it’s your fault.
If you save your unprotected confidential documents to the desktop of a hotel business centre PC, and your rivals find them, it’s your fault.
If your anti-virus software is out-of-date; if you don’t do basic security awareness training; if your firewall hasn’t been updated since you installed it; if you don’t encrypt data at rest; if you don’t patch your operating systems and applications routinely; if you don’t operate some basic physical security precautions; if you don’t have a half-decent password complexity and change policy; if you don’t do routine account and privilege reviews; if your users have local admin access on their PCs; if you give guests access to your corporate wifi; if you let staff use whatever file-sharing services they choose because you won’t invest in a corporate solution; if you don’t audit your suppliers’ security; if you… I could go on for some time, but you get the idea. It’s your fault.
No-one except you can protect you. No one product, technology, or process will save you from all ills. Wake up and shape up, or get hacked. It’s that simple.
A bigger picture 