Last month’s hacking of the Amazon-owned gaming company, Twitch, made big news. The events that happened next were worrying. At first Twitch sought to up security, in part by raising the number of characters required for a customer password, and then lowering it again in response to angry objections from customers who said it made logging in too difficult.
One customer from Texas went so far as to post on Twitch’s Facebook page “If users want to use a bad password, that’s their problem, not yours.”
This customer backlash against a business that is simply trying to protect its customers from security breaches raises an important question – who exactly is responsible for Cybersecurity? Is it the government’s responsibility in the laws, policies and guidelines it creates? Are businesses in the private sector, which take our credit card and personal details and store them, to be held accountable for both internal breaches and external attacks? Or is it down to us, the consumer, to choose our passwords wisely and keep our information safe? The truth is that for a security policy to be successful, everyone involved at each stage of an online transaction has to take a certain amount of responsibility and work together to achieve the common goal of protecting society from malicious hackers.
UK Cybersecurity Essentials
In the UK, businesses that want to tender for government projects must adhere to the new baseline Cybersecurity standards created by the Cyber Security Essentials 5 Key Controls, which are:
- Secure configuration
- Installing boundary firewalls and Internet gateways
- Access control and administrative privilege management
- Patch management
- Malware protection
Although not mandatory for private sector projects, hundreds of businesses such as Action for Children, Vodafone, SproutIT and ELEXON are getting certified to show they are taking Cybersecurity seriously. So here we see the public and private sectors working together and taking responsibility to ensure both their own Cybersecurity, and ours. As Cabinet Office Minister Francis Maude observed in a recent ComputerWeekly interview:
“While it’s right the government leads by example, we can’t do it alone. There’s no single magic bullet to neutralise the cyber threat, but the one thing common to all our efforts – whether it’s about resilience, or awareness, or capability and skills – is co-operation.”
The government is now using funds from the National Cyber Security Programme to create Gov.uk Verify, which enables purely digital proof of identification with a decentralised data storage system, and is to be rolled out in the public sector with the hope that the private sector will quickly cooperate and follow suit. Mind you, the PwC 2014 Information Security Breaches Survey also found that “70% of organisations keep their worst security incident under wraps. So what’s in the news is just the tip of the iceberg” so the private sector still has some way to go before the majority of businesses can claim to be Cyber Secure and operating transparently.
Barack Obama Fights Back
As the Wall Street Journal reported a couple of weeks ago, U.S. regulators are deeming the corporate boards ultimately responsible for successful cybersecurity strategies, and even suggesting that individual directors and security officers should be held accountable and liable in the event of a breach. In January of this year, after Islamic militants allegedly hacked the U.S. Central Command Twitter and YouTube accounts, President Obama defended proposed new legislation creating a new level of corporate responsibility by saying:
“When these cyber-criminals start racking up charges on your card, it can destroy your credit rating. It can turn your life upside down. It may take you months to get your finances back in order…so this is a direct threat to the economic security of American families, and we’ve got to stop it.”
Stick to your Cybersecurity Guns!
This is all very well, but what do you do when your customers don’t want to play ball and your CSO’s job and your company’s reputation are at risk? Where your business is legally accountable for Cybersecurity and breaches put the business and individual board members at risk, it’s a good idea to dedicate a section on your website to informing your customer of the legal requirements and penalties and how the law is designed to protect them. A section explaining how your security strategy is designed to benefit them and the risks associated with a breach is also a good way of educating consumers. Similarly responding to live feedback on social media with a brief explanation of the law, the risks and the repercussions could be helpful.
Ultimately businesses need to stick to their guns and not bow down to customer complaints about increased security measures. They have a duty to all of their other customers and the nation as a whole to help stamp out attacks and breaches, and the only way to do this is for the public sector, private companies and individual consumers to collaborate and take joint responsibility. After all these customers who are so vocal about the downsides of higher security will also be the first to complain about your business if your security systems fail and cybercriminals hack into their bank account and start spending their money!