Blame culture only makes data breaches worse

Fri, 8th Feb 2019

FYI, this story is more than a year old

Australians have discovered that, far from being an isolated island nation that no one wants to attack, local businesses are just as at-risk from cyber threats as any other business in the world.

In fact, the most recent report from the Office of the Australian Information Commissioner (OAIC) based on notifiable data breaches (NDB) suggests that Australian organisations face significant challenges in keeping data secure.

However, businesses won't be able to improve their security stance until they move on from a culture of blaming the victim and begin sharing information more readily, according to Palo Alto Networks.

“The great thing about the NDB legislation is that businesses are coming forward to report that they have been breached and hopefully this means that others can learn from what's happened to them,” says Palo Alto Networks Asia Pacific and Japan vice president and chief security officer Sean Duca.

“Rather than hiding the fact that they've been attacked, businesses have been forced to bring it out into the open. More work needs to be done to learn from these breaches so we can all better defend ourselves. Saying that it was malware or a misconfiguration in an application is not enough; we need to know more and also ask ourselves and our business could this happen to us.

“In the past, businesses have been reluctant to admit when they've been breached because the backlash has been immediate and harsh. Instead of focusing on the breach itself and lessons that can be learned, there is a heavy focus on criticising the business for being attacked in the first place. This focus needs to shift so the entire business ecosystem can benefit from increased information sharing.

Cyber criminals learn from every security breach - they discover weak points and possible vulnerabilities, and they learn how to exploit them for maximum gain.

Businesses must take the same approach in terms of learning from attacks and determining the best way to close those gaps and protect against future breaches.

“For example, Australian software-as-a-service vendor, PageUp suffered a high-profile breach last year and was pilloried for it. There needs to be a new culture in which companies that suffer breaches feel confident to share more information,” Duca says.

“As James Turner said not long after the breach was disclosed: ‘The first lesson is that we need the victim to survive. Once PageUp is safely through this incident, one of the most valuable things its executives can do for the industry is to share their experiences and the lessons learnt.'

“This is key. Until organisations feel safe in sharing that information, other businesses won't be able to learn from these breaches. This will mean Australian organisations will always be at least one step behind the cybercriminals.

Putting learning in the hands of every organisation, from small businesses to large enterprises, will help boost the immunity of all organisations in the country.

However, businesses will only be able to do so when the response to breach disclosures moves on from victim-shaming and focuses on the lessons that can be learned.