Equifax, Uber, Yahoo, Boeing, UnderArmor, MyFitnessPal, Panera, and even US power plants and gas pipelines. Private sector or public sector, big or small, it seems cyberattacks hit anywhere and everywhere. The ever-increasing news about hackers leaking data—your data—just keeps coming and leaves you with one question on your mind:
It’s not like we don’t know how to prevent cyberattacks—well, for the most part. There are always zero-day exploits, or cyberattacks that exploit a security vulnerability nobody else knows about yet. But once a flaw becomes known, finding a way to at the very least paper it up doesn’t usually take too long.
But we end up leaving ourselves vulnerable, even when we don’t have to, for a few reasons.
“If we command our wealth, we shall be rich and free. If our wealth commands us, we are poor indeed.” – Edmund Burke
Of course, these attacks occur usually out of a desire to make money. Stealing data on a business’s customers nets you a treasure trove of ill-gotten information you can sell for a pretty penny to identity thieves and unscrupulous businesses looking to target new customers of their own who know how they can use that data to make even more money. Love of money is the root of all evil, after all. And that will likely hold true until we evolve into a post-scarcity Star Trek utopia following the atomic horrors of World War III.
But cyberattacks don’t just happen out of a desire to cash in.
In many cases, IT experts know exactly how to stop most cyberattacks from occurring. The problem is that when they go to their boss (if they’re an internal IT department) or client (if they’re a to talk about what to do, this happens:
When you’re an IT professional, you know this conversation by heart because you’ve gone through it probably thousands of times before.
Spoiler alert: You’re right and they’re wrong, but good luck trying to convince them of that.
When Equifax was attacked by cybercriminals in 2017, “they had already been told about the fix… well before the breach even happened. And yet they failed to do so fully in a timely manner.”
One reason these cyberattacks succeed is that they exploit a willingness to cut corners and blow off important upgrades as a cost- and productivity-saving measure. When WannaCry swept through Europe in the summer of 2017, many of the UK’s NHS hospitals were affected because they still relied on computers running Windows XP (which was no longer supported by Microsoft as of 2014), for example. Microsoft actually had to issue an emergency patch for Windows XP—something they’ve never done for an unsupported operating system before.
Many cyber attacks hitting businesses of all sizes happen not because of some smooth criminals taking advantage of a zero-day vulnerability with wizard-like hacking skills, but because people just aren’t trained to avoid opening suspicious email attachments or LinkedIn messages.
This comes in the form of a lot of excuses that ultimately come down to money.
This isn’t necessarily about greed, although ascribing it all directly to penny-pinching fat cats at the top would do a lot to remove the moral ambiguity from this situation. Many people, especially small business owners and government-run agencies, find themselves caught between a rock and a hard place balancing all of the things their budgets are supposed to cover already—and throwing on additional cybersecurity preparedness and tossing out equipment that should have gotten the boot a decade ago further strains that.
For the biggest businesses, of course, that’s no excuse. A CEO who makes more money in the time it takes for him to poop than one of his workers makes in a week can afford to take the necessary precautions.
But even once you’ve gotten past the money issue, you get into another problem, which is mainly…
“You are the dumbest smart person I’ve ever met.” – Will Smith, I, Robot (2002)
Sometimes the top makes bad hiring decisions. Sometimes, as is the case with the oft-quoted “Peter principle,” good workers get promoted to their position of least competence. And sometimes otherwise-smart people just screw up.
When the Equifax breach happened back in 2017, the former CEO, while being grilled by the House Energy and Commerce Committee, claimed that it had been the fault of a single individual in the IT department who had failed to apply the patch to fix the known security issue that led to the breach occurring.
“I don't think we can pass a law that fixes stupid.” – Rep. Greg Walden (R-Ore.)
Even one person’s brain-fart can be a serious threat. The Swiss Cheese Model applies here as it does to everything else. The holes are never supposed to line up properly, but when the stars are right and the zodiac is in alignment, something can slip through.
Sometimes bigger isn’t always better. The more people you have monitoring something, the more likely whoever notices something that seems just a little “off” will think to themselves, “Someone else will take care of it, I don’t need to get up out of my desk or send out a concerned little email or anything.” It’s called the “bystander effect,” and it grows stronger the more people there are you think you can pawn off responsibility to. People have many psychological justifications to explain their inaction, ranging from a simple “I don’t care” to “Someone more qualified than me will handle it.”
For some people, it’s “Blame Someone Else Day” every day. For others, it only happens on the first Friday the Thirteenth of the year. Ultimately, nobody is 100% immune to screwing up. But if you’re lucky, 99% will be good enough… so try for 99%.
Here's where you can start: