Cyber breaches: People in glass houses shouldn’t throw stones

One of the issues highlighted by the Travelex incident—and the reaction to it—is the extraordinarily high level of culpability and scorn that continues to be attached to corporate victims of cyberattacks. We all know that doing business in a digital world is fraught with risk. No one wants to have their sensitive data leaked, operations disabled, and reputation ruined, but the fact is, we’re defending against highly motivated criminals who are becoming increasingly creative (and harder to catch and therefore, hold accountable) in order to monetise organisational weaknesses.

Travelex was just the first high profile cyberattack that came to light in 2020. It seems likely that the attack took advantage of the Sodinokibi ransomware’s exploitation of a vulnerability in Pulse Secure’s VPN software that was patched by Pulse Secure last April. It also seems likely that Travelex did not act on direct advice—offered as early as September 2019—that its servers were vulnerable to an attack.

On the one hand, it’s important that a cyberattack of this magnitude is given a healthy level of public scrutiny and interest. On the other hand, it’s important to look at the big picture; the way these issues are addressed by industry and the handling of the surrounding narrative have the potential to influence better information security practices in the long term.

In particular, the use of Travelex’s situation to market products is inevitable but often misplaced. We saw many posts on LinkedIn commenting on the ‘if Travelex had used our product it wouldn’t be in this mess’ line or the security-centric, egotistical message of ‘if our company was involved this wouldn’t have happened’ line. No one can know the inner workings of Travelex (or any other company for that matter), so it’s a somewhat low-brow marketing message that makes a lot of assumptions about what did or did not happen and why. This is not helpful for anyone and deserves short shrift.

Ransomware is a known and credible threat. Up to a third of companies worldwide are hit by ransomware every year; does that mean that 30% of global companies are rubbish? Or are they just struggling to adjust existing operational models to a new and mutating threat. It’s easy to lead the charge of criticism on others’ digital security when all you care about is digital security. Its sometimes different when it is just one of many risks an organisation must juggle in a dynamic global operation. Yes, Travelex didn’t follow some of the basic cyber security tenets and is only now it in the process of bringing its systems back online and repairing a damaged reputation. Focusing on what Travelex should/could have done is useful up to a point, if the focus is on practices rather than solutions. Failing to patch, taking risks on prevention strategy due to cost concerns, failing to understand the magnitude of the risk itself are better starting points for a constructive discussion than continuing to push the notion that there are easy fixes available to buy and that the victim is somehow quite plainly idiotic that they didn’t.

How can we be better prepared for next time? What is the best way to handle a situation when it occurs? What can we learn from other attacks? Asking these questions might be a starting point for constructive engagement and analysis. At worst, it is a more nuanced approach than simply combining easy hindsight with marketing opportunism. If we’re having a conversation about ‘should have’, let’s make it one about ‘should have done’ or ‘should have prioritised’ not ‘should have bought from me/paid to listen to me’.

How PGI can help your organisation

Talk to us about our Incident Response services, and how we can help your organisation understand your level of cyber and information security maturity.