On July 12 we learned that the breach of Snowflake, a major cloud data warehousing provider, had been far worse than previously imagined. We already knew that clients such as Advance Auto Parts, LendingTree, Ticketmaster, and Santander Bank had been impacted. But now we know that the hack also engulfed AT&T, exposing the cell phone data of nearly all of its 242 million wireless customers—including phone numbers, call durations and certain cell site details. This isn’t just a slip-up, it’s a security disaster, with Snowflake as its unwitting architect.
Far too often, corporations and IT vendors alike cut corners on cybersecurity, treating it as an unnecessary expense rather than a critical investment. Systems are left vulnerable to attacks that can have devastating effects on innocent users. Meanwhile, these same users are lectured about the importance of individual responsibility, as if the onus of protecting their data falls solely on their shoulders.
The hypocrisy is staggering. Grandma is chastised for her insufficiently creative passwords while her healthcare providers neglect to update their security certificates. And when Grandma’s sensitive information inevitably ends up on the dark web? Well, that’s her problem, not the responsibility of the C-suite executives who effectively disregarded her privacy rights.
As 2024 shapes up to be yet another “year of the data breach,” it is long past time for executives and vendors to stop trying to shift responsibility onto individual users while neglecting their own.
Where is the Accountability?
Recent headlines paint a grim picture of the current state of corporate cybersecurity. Microsoft, a tech giant entrusted with almost unimaginable amounts of user data, is now grappling with the consequences of years of accumulated security debt. Healthcare behemoth UnitedHealth has struggled to recover from a devastating cyberattack in which Russian hackers exploited the company’s outdated technology and inadequate security measures. Okta, a widely-used identity management platform, suffered a data breach late last year that left 100 percent of its customers vulnerable—not the measly one percent that the company initially claimed. And we already mentioned Snowflake, which is facing a snowballing (pun intended) number of attacks on its customers’ databases
These incidents are not isolated “unfortunate events.” They are symptoms of a pervasive problem. Corporations and service providers have been allowed to prioritize convenience and cost-cutting over the security of their customers’ data. And when things go wrong, these same executives hide behind the facade of “shared responsibility” models, conveniently shifting the blame onto users.
Enough is Enough
It’s time for a paradigm shift. Executives and vendors must be held accountable for their role in safeguarding the data entrusted to them. They can no longer be allowed to treat cybersecurity as an afterthought or a box to be checked. Security must become a top priority, integrated into every aspect of corporate operations.
Regulators and policymakers have a crucial role to play in this reckoning. They must implement and enforce stricter cybersecurity standards, holding corporations and vendors responsible for their failures. Fines and penalties should be substantial enough to incentivize real change, not merely a slap on the wrist.
There are some signs that change might be on the horizon. For example, the National Cybersecurity Strategy 2023 has proposed shifting liability for insecure software onto software producers. Meanwhile, corporate directors and officers are increasingly vulnerable to shareholder derivative lawsuits related to data breaches. As regulatory scrutiny intensifies and government agencies like the FTC and SEC take more aggressive actions, corporate leaders may be forced—and dare I say, must be forced—to prioritize data security.
Furthermore, transparency and communication must become non-negotiable. When breaches occur, companies must be forthcoming with their customers, providing timely and accurate information about the extent of the damage and the steps being taken to rectify the situation. No more sweeping incidents under the rug or downplaying their severity.
As consumers and citizens, we are not powerless in the face of corporate negligence. Remember to “vote” with your wallet: Support companies that prioritize cybersecurity and data protection. Research a company’s security track record before entrusting them with your data. Ask companies about their cybersecurity practices. Request clear, jargon-free explanations of how they protect your data. By demanding better from the companies we entrust with our data, we can work towards a future where cybersecurity is treated with the seriousness it deserves.
Don’t Believe the Hype
The corporate abdication of responsibility in cybersecurity bears striking similarities to the corporate response to the climate crisis. In both cases, giant multinationals have managed to convince citizens that massive, systemic problems are primarily matters of individual responsibility.
Just as individuals are pressured to reduce their personal carbon footprints while corporations pollute on a massive scale, users are admonished to practice good “cyber hygiene” while companies neglect the security of the systems they control. But in reality, the carbon emissions of a single conglomerate can dwarf the environmental impact of an entire city, just as a single corporate data breach can compromise the sensitive information of millions, regardless of how “strong” the individuals’ passwords are.
This narrative that individual actions are the key to solving complex, global problems is a convenient smokescreen for corporations unwilling to take responsibility for the negative externalities they create. It allows them to continue prioritizing short-term profits over long-term sustainability and security. But just as we cannot recycle our way out of the climate crisis, we cannot password our way out of the cybersecurity crisis.
In both the environmental and digital realms, we must reject the lie that individual responsibility is a substitute for corporate accountability. We must demand that businesses step up, take ownership of the problems they’ve created, and invest in meaningful solutions.
It’s time to demand real corporate social responsibility, not just window dressing. Our digital and physical ecosystems depend on it.
Read more articles by Chris Moschovitis:
A Business Leader’s Guide to AI Training
Unmasking Algorithmic Bias: Hidden Injustices within AI
I am certified in Cybersecurity (CSX, CISM), Enterprise IT Governance (CGEIT), Data Privacy Solutions Engineering (CDPSE), and as a Certified Information Privacy Professional (CIPP/US). I am also an active member of organizations including ISACA, IAPP, and ISSA. In 2018, my book Cybersecurity Program Development for Business: The Essential Planning Guide was published by Wiley to critical acclaim. My second book, Privacy, Regulations, and Cybersecurity: The Essential Planning Guide, received an equally positive reception upon its release by Wiley in 2021. Additionally, I co-authored History of the Internet: 1843 to the Present and contributed to the Encyclopedia of Computers and Computer History as well as the Encyclopedia of New Media.
