SoylentNews is people
SoylentNews
from the need-to-fix-their-little-red-wagon dept.
Now this is scary. CNBC has a story posted: Execs: We're not responsible for cybersecurity. The story was posted on April 1, but I do not think this is a joke.
More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.
More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cybersecurity or protecting the customer data," Damato told CNBC's "Squawk Box". ...
"As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now," he said.
I suppose I should not be surprised, but I find it absolutely appalling that there could be this level of active ignorance at such a high level in an organization. What would it take to make said "leaders" actually care about security?
Current practices of providing a year or two of credit monitoring seems woefully inadequate compensation. What if the affected company had to make an actual cash payout of, say, $500 to every person who had their personally identifiable information (PII) compromised? Treble that amount if the notification is not "timely"?
(Score: 5, Insightful) by devlux on Tuesday April 12 2016, @11:23PM
The problem is they have 0 accountability.
If I run a business where I move cash for people, I have to post a bond and if it turns out that money was stolen due to gross incompetence and negligence, then I can have my bond revoked and even be held civilly liable and possibly criminally liable if it turns out to be a matter of extreme incompetence. Example we loaded the cash into a station wagon.
Personal information has monetary value, this value is far more than a couple years of credit monitoring.
Someone in the C suite responsible for the IT infrastructure of the company should have no damned problem at all understanding a security or vulnerability or report or they have no damned business failing that far upwards. Ergo, we establish laws the pierce the corporate veil in cases where there was gross incompetence with personal information, just as we would gross incompetence in handling other data, like say Top Secret and Classified information.
Once his ass is actually on the line, you can bet he'd learn to read those reports and take swift action.
(Score: 2) by khchung on Tuesday April 12 2016, @11:38PM
The problem is they have 0 accountability.
Exactly. My first thought was "WHAT bad things would any CxO said they would be responsible for?" and I can't think of anything.
(Score: 3, Insightful) by davester666 on Wednesday April 13 2016, @05:52AM
Now, the exec's main responsibility is to say "You need to make do this year with a 10% cut to the tech budget. And plan for another 10% cut next year."
(Score: 4, Insightful) by edIII on Wednesday April 13 2016, @12:00AM
I'm totally on board with your post.... except it isn't entirely fair.
Execs are of course beholden to their nature, being greedy unethical sons of bitches, and aren't exactly very supportive of IT budgets in the context of security. It's all about the associated costs of failure compared to the profit. They do bear a large portion of the guilt, and should be properly excoriated.
That being said, how can we reasonably expect security to exist in the same space that state sponsored and state level actors operate in? It's hard enough to secure a database without the NSA deliberately weakening your security. It wasn't a hacking group of 13 year olds that took out RSA for lulz, but a very coordinated and highly sophisticated state level attack. Most likely from China. That was our "highest" level of security in the market apparently, RSA SecureID? I know it was their flagship products at least reverse engineered and hacked after only ~2 weeks with trade secret information.
The government bears a significant and non-trivial portion of the guilt. They have literally been in an organized concerted effort to lower all of security, while not actually securing themselves either. Your demanding remuneration for receiving a rotten hamburger in a land of decay where a perfect hamburger is now logically precluded.
I'm not saying doing nothing to these executives, or to not hold their feet to the fire. Just be reasonable and realize they are up against tremendous odds and very unreasonable powers to guarantee the safety and privacy of your data.
The $500 per record should only happen in cases of extreme negligence, not that somebody forgot to patch an SSL vulnerability created (or at least engendered) by the NSA.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Insightful) by tibman on Wednesday April 13 2016, @12:51AM
Leaving unpatched boxes connected to the internet for years is not reasonable. Any audit at all would be useful. Executives saying they aren't responsible for security is just as bad as saying they aren't responsible for safety. It starts at the top!
SN won't survive on lurkers alone. Write comments.
(Score: 3, Insightful) by edIII on Wednesday April 13 2016, @02:18AM
I never said leave something unpatched for years, but was talking about reasonable time periods and reasonable performance standards. An absolute law that penalizes all disclosures at $500 per pop, without any nuance or qualifications is a very bad idea.
All you've alluded to is keeping up with something like PCI-DSS compliance, which isn't enough. There is no way you could say with a straight face that simple following of their guidelines will keep you from all data breaches.
It's a lot tougher than that, and the government bears a HUGE amount of the responsibility for creating the security environment we have now. You could be following everything to the letter, including all of the recommendations of the NSA, and yet still be subject to a data breach. That breach could be a direct result of the NSA either being disingenuous, two-faced, or just plain lyin' about what algorithms and practices are secure.
I'm loathe to throw anyone in jail (or gut the company) when the "accomplices" are in government. We can't have security weakened, execs in jail for it, and NSA agents being rewarded for good performance. That's all I'm trying to say.
It's Execs + NSA. Hold them both accountable.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Wootery on Wednesday April 13 2016, @10:26AM
You're overstating the damage done by the NSA, no?
(Score: 2) by edIII on Wednesday April 13 2016, @06:44PM
You're understating the damage done by the NSA, no?
We still don't know the full extent of their exploits that they've deliberately developed, and purchased. We can't since they're allowed to remain hidden and unaccountable to the United States Constitution. Remember, the FBI just purchased information from gray hats (pieces of shit, more respect for black than gray). So it's not just the NSA, and not even just the FBI. They literally help foment a black market for exploits, since they are a huge buyer. Along with many other governments, but ours is actually supposed to protect us. I don't believe that White House oversight committee for one split fucking second. They say they're heavily biased towards disclosure, but then admit that intelligence communities directives are "considered" (Read: Followed).
The NSA has compromised our encryption, and continues to attempt to do so. What they did with random number generation to predict the numbers was truly impressive, and that's just the tip of the iceberg. The NSA also operates the TAO which is physical intercepts of equipment to install back doors, hardware or software.
So, ummm, no I don't think I'm overstating anything actually. The NSA is directly responsible for a non-trivial and significant portion of the weakening of our cyber security. Plain and simple.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Wootery on Thursday April 14 2016, @10:40AM
You certainly make good points, but what proportion of real security issues are the fault of US government agencies?
My gut feeling is that security is already so difficult that the misbehaviour of the NSA/FBI probably isn't as significant as you're making out.
(Score: 5, Insightful) by frojack on Wednesday April 13 2016, @02:11AM
The problem is they have 0 accountability.
Oh, come on.
They have the same accountability as they do for fire protection of the companies various warehouses.
They might not be able to read a fire marshals report or an insurance adjuster's report, or a surgeon's report from a burn ward. They don't know a single thing about sprinklers or alarms or escape routes or Fire Department response times. And nobody expects them to know this. They have people for that.
But that doesn't mean they get off Scot free when 6 warehouses burn down and are found to have no insurance, have let the alarm contract lapse, and stored known high-risk materials in the buildings. Heads below them will roll, but if its bad enough the CEO's head will roll as well.
CEOs serve as the pleasure of the board.
No, you are mistaken. I've always had this sig.
(Score: 2, Troll) by Dr Spin on Wednesday April 13 2016, @07:23AM
Actually, yes they do get off in most cases.
What is needed, is a firm legislative reinforcement of the position that
(especially) in a limited liability "If a crime is committed by the organisation - the
liability of the directors is completely unrestricted. The directors are jointly and
severally liable for everything that the organisation (ie ANY and ALL employees) has done
unless it can be shown that they actively took all steps available to them as individuals.
IE "I did not know it was going on" is proof of guilt. You are employed to know, that is
what your job IS, and if you did not know, then you were not willing or able to do the job.
If you fail, you should be banned from being a director - in addition to the full penalty for
what ever was done.
I speak as a company director. This is what I was taught the rules are (or were, 30 years
ago).
It is also my understanding that society allows me to incorporate a company because it
is in society's interest. If it is not in society's interest for the company to operate (or company
is wilfully operating against society's interests) then society should be free to dissolve the
company. (EG Pharma companies taking decisions to discontinue products leading to
death of patients who need the medication). If the law does not say this, it would be
easy to change it - subject to voters taking responsibility for who they vote for.
No, I do not support the "fight for the right to be exploited" party.
Warning: Opening your mouth may invalidate your brain!
(Score: 4, Insightful) by frojack on Wednesday April 13 2016, @06:51PM
"If a crime is committed by the organisation - the
liability of the directors is completely unrestricted. The directors are jointly and
severally liable for everything that the organisation (ie ANY and ALL employees) has done
unless it can be shown that they actively took all steps available to them as individuals.
IE "I did not know it was going on" is proof of guilt.
So nothing bigger than a Mom and Pop corner grocery store could exist in your special little world then, right?
Because if some pimply faced kid spits in a burger he is frying for his rival, the CEO goes to jail because
he is obviously guilty of not personally supervising that pimply faced kid, and all the other 250,000 employees.
Sorry, but you are delusional. That world has NEVER existed other than the person to person barter world.
I'm guessing your about 14 years old, never held a job, never employed anyone, and sure as hell never ran
a business.
The very reason corporations exist since Roman times ~527 AD, is because civilization has learned that nothing of size can exist based on the work of a single individual, or even a small group, where each individual is 100% responsible. Sooner or later you have to employ someone else.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday April 12 2016, @11:25PM
Their job is to exploit customer data, not protect them.
Next thing, you'll be surprised the water is ... OMG, it's WET?!!!
(Score: 2) by bob_super on Tuesday April 12 2016, @11:38PM
You see, if I'm a stockholder, the bad publicity and liabilities of a data breach are going to make my shares drop. I might even sue your ass if I'm not happy.
It's your job to prevent that.
(Score: 5, Insightful) by Dunbal on Tuesday April 12 2016, @11:40PM
No, see, you'll sue the COMPANY'S ass, not MY ass. After all, I'm only the CEO, I do what the board says. Of course the board can always remove me, and I promise I will cry every night into my 100 million dollar golden parachute.
(Score: 1) by Francis on Wednesday April 13 2016, @12:04AM
The thing is that security costs money, a lot of money, every month. Security breaches might not happen for a number of years. The average period that a stock holder holds the stock is less than a year.
The end result is that the expected value of the security is less than the expected value of the money that they're saving by not properly securing things. The end result is that the unethical assholes don't bother doing anything about it, knowing full well that they'll probably get a golden parachute if it happens before they leave the company.
(Score: 3, Informative) by MostCynical on Tuesday April 12 2016, @11:41PM
what is customer data worth?
What is it worth to the CxO?
Effectively, nothing.
A CEO or Managing Director may have to go out and say "mea culpa" when some data goes free.
Otherwise, "so what?"
Some countries do make an effort:
https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles [oaic.gov.au]
So there can be consequences:
https://www.oaic.gov.au/privacy-law/enforceable-undertakings/ [oaic.gov.au]
But even then, prosections are rare.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Insightful) by dltaylor on Wednesday April 13 2016, @12:44AM
If it doesn't hurt them, they have no reason to care. Even payouts are going to be covered by insurance, or some such, as a "cost of doing business". 5 years for the CxO, 3 for the president, 2 for the VPs and 1 for the directors. All as felonies serious enough to make them unemployable as senior business management. Then, they will care to put enough into the budgets to hire the right people, and give them the authority to make the needed changes.
(Score: 4, Interesting) by Anonymous Coward on Wednesday April 13 2016, @12:44AM
Then I learned that "security admin" is corporate jargon for "scapegoat with all the responsibility and no authority".
And I changed my career.
"Our customer data is running on an unpatched version of Windows. We are vulnerable to total ownage by any script kiddie bored enough to target us, or botnet that never gets bored."
"But it's in production! We can't change stuff in production without a change window and QA and three weeks of dev time!"
"Fine, then do the three weeks and stuff, and let's fix it."
"But we can't do that, we'll blow all our deadlines!"
"Sheesh, OK, this is really stupid, but do it after your deadlines."
"Uh, no, then we have these other deadlines coming up, see, and security isn't a priority, and it's the ides of March and nobody cares about hacking us anyway, and it's so much like hard work and ..."
"Right, great. I see which way the wind is blowing. Scuse me, I have a resume to upda ... I mean, paperwork to do."
Yes, they did get owned like the new meat in the jailyard.
(Score: 2, Informative) by Anonymous Coward on Wednesday April 13 2016, @01:39AM
L.L.C. It's a way to not give a shit, and not be liable when it hits the fan.
(Score: 0) by Anonymous Coward on Wednesday April 13 2016, @03:41AM
"I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cybersecurity or protecting the customer data,"
That's because the data is not the customer's (I know, there's not a possessive in the quote), it's OURS! The customer has nothing to lose when there's an incident.
(Score: 1) by zugedneb on Wednesday April 13 2016, @04:02AM
...other products made by engineers...
So why take responsibility?
Other stuff are made by actually educated people within material science and mathematical modelling...
The companies are regulated by law and government, the certificates are not given freely.
What is software compared to that?
How could any sane man take "responsibility" for the crap that is installed on the server, when not even the manufacturer does dare to give warranty?
old saying: "a troll is a window into the soul of humanity" + also: https://en.wikipedia.org/wiki/Operation_Ajax
(Score: 0) by Anonymous Coward on Wednesday April 13 2016, @02:01PM
90% of everything is crap
(Score: 0) by Anonymous Coward on Wednesday April 13 2016, @03:44PM
Especially if it is not Scottish.
(Score: 2) by fadrian on Wednesday April 13 2016, @03:26PM
What you always have to do when people care only about the numbers - hit them in the pocketbook. By government action, by public action, it doesn't matter. But you do have to do it. Otherwise, they will continue not caring.
That is all.