“As we all know, humans are often the weakest part of the security chain.”
Those are the words of Reddit CTO Christopher Slowe, who was quick to play the blame game in a post announcing that Reddit experienced a breach of internal data last week. He explained that the platform was compromised after an attacker sent “plausible-sounding prompts” to employees that redirected them to a website impersonating Reddit’s intranet portal in an attempt to steal credentials. Reddit said users’ data was safe.
Hackers successfully obtained an employee’s credentials, Slowe said, before calling out said employee — who decisively self-reported the incident to Reddit’s security team — as the “weakest link” in the company’s security defenses. (Ironically, Slowe went on to advise users to “update your password every couple of months,” a practice that is no longer recommended by most cybersecurity experts.)
Reddit isn’t alone in pointing the finger following a breach, and many organizations have defaulted to a blame culture when it comes to data security.
Equifax, which suffered a data breach that compromised the Social Security numbers and other sensitive data of more than 145 million people, blamed a single IT technician for the incident. “An individual did not ensure communication got to the right person to manually patch the application,” said former Equifax CEO Richard Smith, who was forced to resign within two weeks of the massive breach’s disclosure.
And SolarWinds — no stranger to security lapses — blamed an intern after it was revealed that one of the company’s update servers could be accessed using the password “solarwinds123.”
You’re going to get hacked
Your startup is likely going to get hacked. Data from cybersecurity company Check Point shows that organizations in the U.S. were hit by an average of 849 cyberattacks per week last year, and startups are often a prime target.
When your startup does get hacked, it will be because of human error. Social engineering attacks — whereby attackers prey on and manipulate employees into handing over sensitive details — are on the rise and have claimed a number of high-profile corporate victims in recent months, from Twilio and Mailchimp to Revolut and Uber. Verizon’s annual data breach investigations report last year found that as many as 82% of data breaches involved humans in some way.
However, these mistakes are rarely malicious and typically come as a result of simple human error, inattentiveness or a lack of training on how to handle sensitive information. While the word “mistake” implies that the employee in question has committed an act or judgment that is misguided or wrong, this is most often not the case.
Regardless, not a single one of these reasons justifies any organization blaming the employee for the breach. And it certainly doesn’t justify firing said employee. Security startup Tessian published research last year that found that one in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security.
Unsurprisingly, the same report found that with harsher consequences in place, fewer employees are reporting cybersecurity mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization. Similarly, a report from cybersecurity firm Avast found that 40% of employees at small and medium-sized organizations who mistakenly click on a malicious link know they will be held personally liable for the breach. As a result, they are less likely to report the incident, which can lead to even bigger ramifications.
Don’t play the blame game
If your startup is going to succeed from a cybersecurity point of view, you need to trust your employees and understand that bullying them into compliance isn’t going to work.
You need to ensure you’re creating a culture that builds trust and confidence among employees and improves security behaviors by providing people with the support and information they need to make cyber-aware decisions at work. This can include regular cybersecurity training; ensuring your employees are equipped with the right tools, such as password managers and hardware-based multifactor authentication; and making sure that your team is equipped with the technical knowledge both to support employees and to manage any cyber incident that, inevitably, comes your way.
You also need to ensure you’re building a culture in which your employees are given flexibility, are not overworked and are given support when it comes to their health, safety and well-being. While social engineering attacks are becoming more and more convincing and effective, Tessian’s research found that many employees are citing distraction and fatigue as one of the main reasons for falling for phishing attacks.
Ultimately, your approach to cybersecurity should be underpinned by an understanding that breaches are ultimately inevitable and not the responsibility of any one person. If, or when, you’re hit by a breach, take responsibility. Sure, an employee may have clicked on a phishing link, but that’s probably because they weren’t properly trained in how to spot it, or your startup hadn’t invested in the technology to prevent it, or because they were overworked and just missed it. Nobody likes to admit to cybersecurity failures, but if you’re open about what’s happened, it’s likely to be better received by your customers, the press and the wider security community.
Playing the blame game does nothing to help anyone — unless you blame the cybercriminals responsible for compromising your startup. If you and your employees have one shared adversary, you can work better to defend against them.