SoylentNews is people
SoylentNews
from the need-to-fix-their-little-red-wagon dept.
Now this is scary. CNBC has a story posted: Execs: We're not responsible for cybersecurity. The story was posted on April 1, but I do not think this is a joke.
More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.
More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cybersecurity or protecting the customer data," Damato told CNBC's "Squawk Box". ...
"As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now," he said.
I suppose I should not be surprised, but I find it absolutely appalling that there could be this level of active ignorance at such a high level in an organization. What would it take to make said "leaders" actually care about security?
Current practices of providing a year or two of credit monitoring seems woefully inadequate compensation. What if the affected company had to make an actual cash payout of, say, $500 to every person who had their personally identifiable information (PII) compromised? Treble that amount if the notification is not "timely"?
(Score: 4, Insightful) by tibman on Wednesday April 13 2016, @12:51AM
Leaving unpatched boxes connected to the internet for years is not reasonable. Any audit at all would be useful. Executives saying they aren't responsible for security is just as bad as saying they aren't responsible for safety. It starts at the top!
SN won't survive on lurkers alone. Write comments.
(Score: 3, Insightful) by edIII on Wednesday April 13 2016, @02:18AM
I never said leave something unpatched for years, but was talking about reasonable time periods and reasonable performance standards. An absolute law that penalizes all disclosures at $500 per pop, without any nuance or qualifications is a very bad idea.
All you've alluded to is keeping up with something like PCI-DSS compliance, which isn't enough. There is no way you could say with a straight face that simple following of their guidelines will keep you from all data breaches.
It's a lot tougher than that, and the government bears a HUGE amount of the responsibility for creating the security environment we have now. You could be following everything to the letter, including all of the recommendations of the NSA, and yet still be subject to a data breach. That breach could be a direct result of the NSA either being disingenuous, two-faced, or just plain lyin' about what algorithms and practices are secure.
I'm loathe to throw anyone in jail (or gut the company) when the "accomplices" are in government. We can't have security weakened, execs in jail for it, and NSA agents being rewarded for good performance. That's all I'm trying to say.
It's Execs + NSA. Hold them both accountable.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Wootery on Wednesday April 13 2016, @10:26AM
You're overstating the damage done by the NSA, no?
(Score: 2) by edIII on Wednesday April 13 2016, @06:44PM
You're understating the damage done by the NSA, no?
We still don't know the full extent of their exploits that they've deliberately developed, and purchased. We can't since they're allowed to remain hidden and unaccountable to the United States Constitution. Remember, the FBI just purchased information from gray hats (pieces of shit, more respect for black than gray). So it's not just the NSA, and not even just the FBI. They literally help foment a black market for exploits, since they are a huge buyer. Along with many other governments, but ours is actually supposed to protect us. I don't believe that White House oversight committee for one split fucking second. They say they're heavily biased towards disclosure, but then admit that intelligence communities directives are "considered" (Read: Followed).
The NSA has compromised our encryption, and continues to attempt to do so. What they did with random number generation to predict the numbers was truly impressive, and that's just the tip of the iceberg. The NSA also operates the TAO which is physical intercepts of equipment to install back doors, hardware or software.
So, ummm, no I don't think I'm overstating anything actually. The NSA is directly responsible for a non-trivial and significant portion of the weakening of our cyber security. Plain and simple.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Wootery on Thursday April 14 2016, @10:40AM
You certainly make good points, but what proportion of real security issues are the fault of US government agencies?
My gut feeling is that security is already so difficult that the misbehaviour of the NSA/FBI probably isn't as significant as you're making out.