New statistics by International Cyber Expo reveal that in the event of a data breach at an organisation, nearly one in every five (19%) individuals across the UK believe the person(s) who allowed initial entry via phishing, poor security practices etc. should be held most responsible and face the harshest penalty. Additionally, of these individuals, over a third (34%) consider prison to be the most suitable punishment for a data breach. The research shines a renewed spotlight on blame culture.
This survey was conducted among 1,000 nationally representative UK respondents (aged 16+) by Censuswide, on behalf of International Cyber Expo.
Granted, a higher proportion of the population (29%) think the cybercriminals who exploited the organisation’s vulnerabilities should be held most responsible. Yet, historically, most cyber crimes go unreported and cybercriminals are rarely convicted. When asked who should be responsible for financially compensating the victims of a data breach (i.e. the individuals, not the corporation), 35% believe it should be the perpetrators, followed by the Courts through compensation orders (26%) and the Treasury through the Proceeds of Crime procedures (20%). However, in each of these scenarios, a clear determination of the offender is required, which is not often achieved with cybercrime.
International Cyber Expo’s Advisory Council member, Flavia Kenyon – Barrister at The 36 Group, adds: “It is imperative that cyber laws and regulations continuously adapt to keep up with technological innovation, so that they are fit for purpose in order to ensure clarity, effective compliance, and enforcement.
The current legal framework is fragmented, and in the absence of an overarching cybersecurity legislation, there is a raft of acts and regulations. The Computer Misuse Act 1990, the main act that criminalises unauthorised access to computers, the so-called ‘hacking offences’, is often enforced in conjunction with the Data Protection Act 2018, and even with the Fraud Act 2006, and the Proceeds of Crime Act 2002 to punish those responsible for cyber-attacks, enable asset-tracing and compensate victims.
Additionally, there are mandatory duties (including directors’ duties under the Companies Act 2006) that trigger civil liability and fines for non-compliance under the DPA 2018, the UK-GDPR, NIS Regulations (Network and Information Security Regulations 2018), and the latest Telecommunications (Security) Act 2021, the latter expected to be fully implemented in 2024.
Time will tell if this legal framework can deliver on ensuring protection of our most critical digital infrastructure and of our most-pressured asset, data.
When it comes to liability, and enforcement, it is important to distinguish between software developers, who purely develop the code underlying open-source protocols, from third parties who use the protocol to cause harm and/loss, and those who provide, operate, and control the network, and benefit from it financially.”
Apart from the cybercriminals themselves and individuals who allowed initial entry, 18% of survey respondents believe the CEO or board members of software providers (e.g video conferencing tools, cloud file storage etc.) should be held most responsible for not providing secure products and updates. A further 15% and 14%, respectively, hold the CEO or board members of the targeted organisation, and the CEO or board members of cybersecurity providers most responsible. This is interesting in light of the White House’s recently announced National Cybersecurity Strategy, which endeavours to shift the liability for insecure software products and services to the entities making them. Meanwhile, 16% of respondents maintain that the cybersecurity team of the targeted organisation should be the ones held most responsible; which may add to fears among CISOs of personal liability.
The International Cyber Expo takes place next week. It is held on the 26th and 27th of September 2023 at London Olympia. To register for FREE as a visitor visit: https://ice-2023.reg.buzz/eskenzi
