Why the Media Should Stop Reporting on Security Breaches
A crucial part of my job involves advising incident responders about the definition of a "security incident". This is not as straightforward as you think! Sure, ransomware is easy to identify. But 99% of security events deal in grey areas.
Fictitious example: a development team mistakenly logged end users' email addresses in clear text. A group of ten interns accessed the log repository. One of them downloaded a log sample of 3 weeks for diagnostic purposes. Now, is this an event, an incident, a suspected breach, or a full-blown security breach? And if so, does it warrant notification to the affected individuals and to data protection authorities?
Don't take too long to ponder this. Per EU's privacy law, you've got 72 hours to complete your notification.
As information security specialists, we value transparency. In this fictional example, imagine we've built a personal information protection policy. Developers didn't comply, and the information was compromised. We follow our incident procedures, which include standard notification in such cases. Not so fast.
See, one issue about breach notification is that once the information gets out, you don't control how people perceive it. Same as when you publish cute dog photos and people laugh at your couch pillows: unintended consequences.
One thing companies don't control: media coverage. What if your minor security incident makes a good story in coincidence with another random event? What if you get lambasted for doing things right? After all, people read only the headline. All they'll see is: "This company got breached. BAD!"
This week, I show you how not all breaches are created equal. Media outlets must become nuanced when covering security breaches. Without the nuance, many publications discourage transparency.
Why is this a big deal? A sustainable information security practice emerges from a culture of ethics and integrity. If we cannot build security from this positive foundation, we default back to fear. In my past article, I explained why I believe using fear to change behaviours leads to diminished returns and burnout of cybersecurity staff.
For our own sake, we need to improve.
The easiest way to never get breached is to fail to detect them!
Here's the kicker: imagine two companies get breached. The first one discloses it. The other one leaks health information for months without noticing. You will only read about the first in the news. Yet, which would you rather do business with? This is the conundrum!
The idea for this article came from this TechCrunch article about a data breach affecting Colorado public schools, which ends like this:
Colorado has suffered a spate of ransom attacks in recent weeks. Colorado State University (CSU) confirmed [being a victim of the] MOVEit mass hacks. The same hackers targeted Colorado’s Department of Health Care Policy and Financing, [...].
Now, either Colorado's security measures suck... or they're the best ones out there because they managed incidents correctly! Unless some university researcher gathers all the data about States' security breaches, we don't really know where Colorado stands.
A similar anecdote happened in my home in Quebec. An HR employee from the Ministry of Cybersecurity sent a payroll file to their personal Gmail. The Data Loss Prevention (DLP) solution did its job: the file got flagged, the incident team responded, and employees were notified of the event. End of story. Not quite. The event caught snarky media coverage.
Requiring executives and politicians to get fired when they disclose a breach creates "counter incentives".
I reiterate: a security incident or a breach is not in itself a failure. Context matters. We must scrutinize the process that led to a breach, not the end result.
The MOVEIt software, SolarWinds firewalls, LastPass password manager and Fortinet firewalls were, by all external indications, respectable products before they got compromised by cybercriminals. Colorado public servants and politicians were not at fault for cutting corners, or choosing some cheap "made in China" vendor! However, if a company still uses a Fortinet firewall from the 2019 vulnerable version in 2023, then they deserve the media roast.
When breach reporting feeds anger and anxiety
Why then cybersecurity breaches get so much coverage? I'll tell you the bad reasons first. It's easier to get immediate attention by portraying the world as a dangerous place.
"Cybercriminals are after you."
"Incompetent governments are losing the fight!"
"Businesses only care about money, your data be damned!"
It's easy to amplify security breaches as the symptom of whatever "culture war" a publication wants to profit off. The Quebec anecdote is telling here. The local media sees the Minister of Cybersecurity as a stooge. What mattered here was to get "the other side" of the political spectrum their fix of outrage porn. (Disclaimer: I don't follow politics. Don't take this as reliable political analysis, but my point still stands).
This also matters on a grander scale. Technology changes fast. People feel overwhelmed and anxious. They worry about AI taking their jobs. Big Tech seems omnipotent. In their race to conquer markets and harvest our attention, cybersecurity appears as their Achilles heel. Which is true!
There is a thin line between holding tech companies accountable and telling people what they want to hear. If a headline and an article about security breaches upset you, it may be a sign that the authors are scratching your technostress.
Wait! There are legit reasons to cover breaches too!
I admit it. I used a clickbait headline myself. Nobody clicks on an article titled: "Security breach reporting should focus on education and awareness rather than fear and anxiety".
Look at the legitimate reasons to cover breaches:
- Raise public awareness on urgent matters. When the Colonial Pipeline got struck by ransomware, energy supply chains got affected. If critical infrastructure s get disrupted, yes, the public has to know!
- Expose unethical companies. The 2017 Equifax breach exemplifies the need to uncover gross negligence. The media fueled a legitimate class-action lawsuit against the credit monitoring agency.
- Reveal relevant scientific findings: new threats, new means of operations, new groups, etc.
Remember: not every breach is the same. Breaches express an organization's culture in a moment of crisis. These complex events are not always of public interest.