The answer to the question Who’s To Blame For A Cyber Attack? seems simple. It’s the cyber criminal. The perpetrator of the crime.
But, imagine you’re walking along the street one day and you are mugged. The attacker is polite but firm, you are left in no doubt you have no choice but to comply. You hand over your wallet/purse, watch, keys and phone. You report the incident to the police, but are told the chances of recovering your goods are very slim.
Now imagine having to report the crime you’ve suffered to another agency. This one will question how you obtained the goods, whether you followed the correct processes, why you were in the area and what exactly you had in place to protect yourself.
This sounds a lot like victim blaming.
However, this is what happens when you are the victim of cybercrime and lose data.
Could you be to blame, even if you’re not to blame?
We are not going to get into a discussion on victim blaming, it goes way beyond the scope of what we are talking about here. But it does seem that cybercrime is one of the areas where victim blaming seems fine. It’s even backed up by legislation – the GDPR.
Of course the GDPR is much more than just a stick to beat victims of cyber crime. But the point is valid. If you are the victim of a cyber attack you’re going to have to prove you did everything possible to prevent that crime. If data is stolen you’re going to have to explain where you obtained that data from, how you obtained it and why you have it. And if you’ve got any of those bits wrong you could see a fine on top of the cost of the crime.
Realistically the Information Commissioners Office (ICO) are not out to further punish victims of crime. Far more fines have been administered for shady cold calling schemes and the like. But British Airways, who received the biggest fine so far under GDPR, where the victims of a cyber attack.
The 2018 British Airways Hack
In 2018 a hacker accessed personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
BA suffered adverse publicity and a hit to their reputation. Potential victims were encouraged to contact credit card issuers and change online passwords. The perpetrators have never been caught. Indeed it’s very difficult to find any information about the people who carried out the attack. The press angle seems to be pointed at BA as the bad guys. The ICO initially issued a fine of £183m – this was later reduced to £20m largely due to the hit the airline took from the Covid-19 pandemic.
There is no doubt that BA should have done more to protect their customers data. Simple low cost things such as limiting access to systems and turning on multi-factor authentication – available through BA’s systems – where not done. It’s hard to feel sorry for BA, but what if it was your business? How would you feel then?
Who’s To Blame For A Cyber Attack?
We are sticking with our answer, ultimately it’s the perpetrators. But, you can also see it’s not as simple as that. You need to protect yourselves. As experts in this field we are going to say something strange. Don’t rely on the experts in this field! What we mean by that is that nobody can guarantee to make you 100% safe from a cyber attack.
Cyber security is a whole business responsibility. The majority of attacks come down to individuals clicking the wrong thing. Simply thinking your internal or external IT department is ‘dealing with cyber security’ is a dangerous attitude.
We’d also remind people that GDPR is more about internal processes for collecting and keeping personal data than technical solutions to prevent an attack.
Businesses need to take responsibility for their data and for their security. The GDPR is still around. The number of GDPR consultants cashing in on the fear might have dwindled, but the regulations are still very real.
Partnering with a company that can offer expert advice on security is important. Working together you can assess the risks and put in place the tools to help you. This might be as simple as restricting access to certain folders on your network, or enabling MFA.
I think we need to slightly reframe the question from who’s to blame for a cyber attack? to who’s going to experience the biggest fallout from a cyber attack? That tells you who should be taking the lead on trying to prevent an attack and ensuring the effects of it are mitigated as much as possible. This doesn’t mean you can’t get help, you should. But you shouldn’t abandon all responsibility and think it’s someone else’s problem.
One of the things we’d recommend for any business is to obtain the Cyber Essentials and/or CE Plus standards. Of course it is not a silver bullet but it does show any external body, including the ICO, you have a framework for cyber security in your business. It’s a relatively low cost way to get an externally accessed check of your security. It would actually ensure that you’re doing some of the basics that BA failed to do.