SoylentNews is people
SoylentNews
from the need-to-fix-their-little-red-wagon dept.
Now this is scary. CNBC has a story posted: Execs: We're not responsible for cybersecurity. The story was posted on April 1, but I do not think this is a joke.
More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.
More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cybersecurity or protecting the customer data," Damato told CNBC's "Squawk Box". ...
"As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now," he said.
I suppose I should not be surprised, but I find it absolutely appalling that there could be this level of active ignorance at such a high level in an organization. What would it take to make said "leaders" actually care about security?
Current practices of providing a year or two of credit monitoring seems woefully inadequate compensation. What if the affected company had to make an actual cash payout of, say, $500 to every person who had their personally identifiable information (PII) compromised? Treble that amount if the notification is not "timely"?
(Score: 5, Insightful) by devlux on Tuesday April 12 2016, @11:23PM
The problem is they have 0 accountability.
If I run a business where I move cash for people, I have to post a bond and if it turns out that money was stolen due to gross incompetence and negligence, then I can have my bond revoked and even be held civilly liable and possibly criminally liable if it turns out to be a matter of extreme incompetence. Example we loaded the cash into a station wagon.
Personal information has monetary value, this value is far more than a couple years of credit monitoring.
Someone in the C suite responsible for the IT infrastructure of the company should have no damned problem at all understanding a security or vulnerability or report or they have no damned business failing that far upwards. Ergo, we establish laws the pierce the corporate veil in cases where there was gross incompetence with personal information, just as we would gross incompetence in handling other data, like say Top Secret and Classified information.
Once his ass is actually on the line, you can bet he'd learn to read those reports and take swift action.
(Score: 2) by khchung on Tuesday April 12 2016, @11:38PM
The problem is they have 0 accountability.
Exactly. My first thought was "WHAT bad things would any CxO said they would be responsible for?" and I can't think of anything.
(Score: 3, Insightful) by davester666 on Wednesday April 13 2016, @05:52AM
Now, the exec's main responsibility is to say "You need to make do this year with a 10% cut to the tech budget. And plan for another 10% cut next year."
(Score: 4, Insightful) by edIII on Wednesday April 13 2016, @12:00AM
I'm totally on board with your post.... except it isn't entirely fair.
Execs are of course beholden to their nature, being greedy unethical sons of bitches, and aren't exactly very supportive of IT budgets in the context of security. It's all about the associated costs of failure compared to the profit. They do bear a large portion of the guilt, and should be properly excoriated.
That being said, how can we reasonably expect security to exist in the same space that state sponsored and state level actors operate in? It's hard enough to secure a database without the NSA deliberately weakening your security. It wasn't a hacking group of 13 year olds that took out RSA for lulz, but a very coordinated and highly sophisticated state level attack. Most likely from China. That was our "highest" level of security in the market apparently, RSA SecureID? I know it was their flagship products at least reverse engineered and hacked after only ~2 weeks with trade secret information.
The government bears a significant and non-trivial portion of the guilt. They have literally been in an organized concerted effort to lower all of security, while not actually securing themselves either. Your demanding remuneration for receiving a rotten hamburger in a land of decay where a perfect hamburger is now logically precluded.
I'm not saying doing nothing to these executives, or to not hold their feet to the fire. Just be reasonable and realize they are up against tremendous odds and very unreasonable powers to guarantee the safety and privacy of your data.
The $500 per record should only happen in cases of extreme negligence, not that somebody forgot to patch an SSL vulnerability created (or at least engendered) by the NSA.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Insightful) by tibman on Wednesday April 13 2016, @12:51AM
Leaving unpatched boxes connected to the internet for years is not reasonable. Any audit at all would be useful. Executives saying they aren't responsible for security is just as bad as saying they aren't responsible for safety. It starts at the top!
SN won't survive on lurkers alone. Write comments.
(Score: 3, Insightful) by edIII on Wednesday April 13 2016, @02:18AM
I never said leave something unpatched for years, but was talking about reasonable time periods and reasonable performance standards. An absolute law that penalizes all disclosures at $500 per pop, without any nuance or qualifications is a very bad idea.
All you've alluded to is keeping up with something like PCI-DSS compliance, which isn't enough. There is no way you could say with a straight face that simple following of their guidelines will keep you from all data breaches.
It's a lot tougher than that, and the government bears a HUGE amount of the responsibility for creating the security environment we have now. You could be following everything to the letter, including all of the recommendations of the NSA, and yet still be subject to a data breach. That breach could be a direct result of the NSA either being disingenuous, two-faced, or just plain lyin' about what algorithms and practices are secure.
I'm loathe to throw anyone in jail (or gut the company) when the "accomplices" are in government. We can't have security weakened, execs in jail for it, and NSA agents being rewarded for good performance. That's all I'm trying to say.
It's Execs + NSA. Hold them both accountable.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Wootery on Wednesday April 13 2016, @10:26AM
You're overstating the damage done by the NSA, no?
(Score: 2) by edIII on Wednesday April 13 2016, @06:44PM
You're understating the damage done by the NSA, no?
We still don't know the full extent of their exploits that they've deliberately developed, and purchased. We can't since they're allowed to remain hidden and unaccountable to the United States Constitution. Remember, the FBI just purchased information from gray hats (pieces of shit, more respect for black than gray). So it's not just the NSA, and not even just the FBI. They literally help foment a black market for exploits, since they are a huge buyer. Along with many other governments, but ours is actually supposed to protect us. I don't believe that White House oversight committee for one split fucking second. They say they're heavily biased towards disclosure, but then admit that intelligence communities directives are "considered" (Read: Followed).
The NSA has compromised our encryption, and continues to attempt to do so. What they did with random number generation to predict the numbers was truly impressive, and that's just the tip of the iceberg. The NSA also operates the TAO which is physical intercepts of equipment to install back doors, hardware or software.
So, ummm, no I don't think I'm overstating anything actually. The NSA is directly responsible for a non-trivial and significant portion of the weakening of our cyber security. Plain and simple.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Wootery on Thursday April 14 2016, @10:40AM
You certainly make good points, but what proportion of real security issues are the fault of US government agencies?
My gut feeling is that security is already so difficult that the misbehaviour of the NSA/FBI probably isn't as significant as you're making out.
(Score: 5, Insightful) by frojack on Wednesday April 13 2016, @02:11AM
The problem is they have 0 accountability.
Oh, come on.
They have the same accountability as they do for fire protection of the companies various warehouses.
They might not be able to read a fire marshals report or an insurance adjuster's report, or a surgeon's report from a burn ward. They don't know a single thing about sprinklers or alarms or escape routes or Fire Department response times. And nobody expects them to know this. They have people for that.
But that doesn't mean they get off Scot free when 6 warehouses burn down and are found to have no insurance, have let the alarm contract lapse, and stored known high-risk materials in the buildings. Heads below them will roll, but if its bad enough the CEO's head will roll as well.
CEOs serve as the pleasure of the board.
No, you are mistaken. I've always had this sig.
(Score: 2, Troll) by Dr Spin on Wednesday April 13 2016, @07:23AM
Actually, yes they do get off in most cases.
What is needed, is a firm legislative reinforcement of the position that
(especially) in a limited liability "If a crime is committed by the organisation - the
liability of the directors is completely unrestricted. The directors are jointly and
severally liable for everything that the organisation (ie ANY and ALL employees) has done
unless it can be shown that they actively took all steps available to them as individuals.
IE "I did not know it was going on" is proof of guilt. You are employed to know, that is
what your job IS, and if you did not know, then you were not willing or able to do the job.
If you fail, you should be banned from being a director - in addition to the full penalty for
what ever was done.
I speak as a company director. This is what I was taught the rules are (or were, 30 years
ago).
It is also my understanding that society allows me to incorporate a company because it
is in society's interest. If it is not in society's interest for the company to operate (or company
is wilfully operating against society's interests) then society should be free to dissolve the
company. (EG Pharma companies taking decisions to discontinue products leading to
death of patients who need the medication). If the law does not say this, it would be
easy to change it - subject to voters taking responsibility for who they vote for.
No, I do not support the "fight for the right to be exploited" party.
Warning: Opening your mouth may invalidate your brain!
(Score: 4, Insightful) by frojack on Wednesday April 13 2016, @06:51PM
"If a crime is committed by the organisation - the
liability of the directors is completely unrestricted. The directors are jointly and
severally liable for everything that the organisation (ie ANY and ALL employees) has done
unless it can be shown that they actively took all steps available to them as individuals.
IE "I did not know it was going on" is proof of guilt.
So nothing bigger than a Mom and Pop corner grocery store could exist in your special little world then, right?
Because if some pimply faced kid spits in a burger he is frying for his rival, the CEO goes to jail because
he is obviously guilty of not personally supervising that pimply faced kid, and all the other 250,000 employees.
Sorry, but you are delusional. That world has NEVER existed other than the person to person barter world.
I'm guessing your about 14 years old, never held a job, never employed anyone, and sure as hell never ran
a business.
The very reason corporations exist since Roman times ~527 AD, is because civilization has learned that nothing of size can exist based on the work of a single individual, or even a small group, where each individual is 100% responsible. Sooner or later you have to employ someone else.
No, you are mistaken. I've always had this sig.