Ethical Data Security – Are You Protecting What Matters?
In today’s data-driven world, security isn’t just about technology. It’s an ethical obligation. Organisations must not only protect sensitive data but also ensure accountability, transparency…
Time to treat organisations as victims of cyber crime
Marks & Spencer, one of the UK’s most iconic brands, has found itself in the headlines. Not just because of its ‘Big Daddy’ pistachio chocolate bar launch, but because of a ‘cyber incident’. The specifics are still unfolding, but the response has triggered a debate in cyber and communication circles with some calling the company’s communication a textbook example of calm, practical handling of information. Others are asking how this cyber crime could happen in the first place, or it shouldn’t have happened in the first place.
It’s a familiar cycle in the aftermath of a cyber attack. We rush to judge. Questions are asked about ‘why wasn’t this prevented’, ‘where were the controls’, ‘who’s to blame?’. But rarely do we pause to acknowledge the fact that an organisation, just like an individual, has been targeted and victimised.
It begs the question, why is there so little sympathy for businesses that have a cyber attack?
The ‘should have known better’ bias
If your local post office, supermarket or petrol station were robbed, you would acknowledge the employees and owners of the business as victims. They would be able to close the business and let staff come to terms with what happened, and customers would understand – but this does not happen with cyber attacks.
Maybe it’s partly because we cannot see the criminals that people forget it is a criminal act?
This reaction is part psychological, part cultural. There’s an ingrained belief that big businesses, especially those with sizeable IT and cyber teams, should be invincible and can’t experience cyber crime.
But here’s the truth. No one is immune. Not even multi-billion-pound organisations with robust cyber budgets.
The cyber threat landscape evolves daily. Criminal cyber crime gangs collaborate, share tools and innovate faster than many security teams can keep up. There are zero-day vulnerabilities, third-party exposures, supply chain risks – a never-ending list of moving parts.
Crisis communication vs cyber leadership
When you listen to the learnings of previous attacks like the British Library, Arnold Clark, and SEPA we know that there is not much to say in the first few days, particularly around the technical transparency.
Here’s the thing: good communication is part of a good cyber response.
It’s not an either or. When done right, it reflects preparation, co-ordination between cyber and communication teams with a focus on keeping stakeholders informed. It also acknowledges that the communication messages are usually carefully crafted and have many sources contributing to them- legal teams, cyber insurance companies, sometimes law enforcement, and other agencies.
Change in culture
If we want to improve cyber resilience across society, we need to rethink how we respond to incidents, especially when the victims are individuals and organisations.
Victim shaming doesn’t encourage better security, it encourages secrecy.
It makes it harder for teams to report incidents early, share lessons learnt, or ask for help and also help us learn and gather vital intelligence after the attacks.
Instead, we need to develop a cyber culture where:
- Organisation’s are held accountable and supported with their recovery.
- Communications are assessed on clarity and intent, not just optics.
- We separate fault from responsibility; understanding that even the most prepared teams with the biggest budgets can be breached.
- Give the organisations time and space to deal with the incident, and look after their employees and customers.
- Stop with the FUD (fear, uncertainty and doubt). We need to be realistic around who and what are real victims of the attacks – no more ‘ambulance chasing’. We have seen large scale attacks with no impact to the clients or patients (I am not saying it doesn’t, or it won’t happen) but if and when it does, then we look after the real victims.
The core purpose of M&S is to “is to bring the magic of M&S through exceptional quality, value, service and innovation to every customer, whenever, wherever and however they want to shop with them”.
It is not to manage a cyber attack.
The responses so far to their incident will be analysed in cyber circles for many weeks to come. But maybe the most important takeaway is this: until we treat organisations as victims of crime, not culprits of incompetence, we’ll continue to miss opportunities to learn, collaborate, support and build a more resilient society.
We are lucky at the Cyber and Fraud Centre – Scotland to have an amazing Incident Response Cadre made up of Scottish organisations that understand victim support, and have walked the walk with many organisations going through a cyber attack here in Scotland over the last few years.
Contact us if you’d like to test your incident response plan, or would like to check your cyber culture – we are here to help.
Jude McCorry
(Not a cyber or recognised cyber expert!)
Related articles
Cyber and Fraud Centre – Scotland Breaks Barriers for Young Women in Cyber Security
Women make up just 17.5% of cyber roles in the UK, with recent reports revealing that the gender pay gap in cyber security is widening…
Cyber Security – It’s Everyone’s Responsibility, Especially at the Top
If there’s one message I want to hammer home, it’s this – cyber security is not just an IT issue. Yet, in many public and…