In his book, What We Owe Each Other, philosopher T.M. Scanlon poses his theory of contractualism. He essentially makes the case that humankind has a collective moral obligation to be good and just to one another. I won’t begin to dig deep into the relevance of this brilliant work as it relates to humanity and global politics, but the topic itself did get me thinking about the growing threat of data hacks, ransomware, and the myriad of other cyber attacks currently lying in wait. So as it relates to businesses and cybersecurity, what do we owe each other?
Now more than ever, one organization’s breach or hack can wreak exponential havoc on their entire sphere of business and beyond. Literally everyone with whom the compromised organization interacts is fair game. Clients, vendors, partnerships, the charities they support. Everyone.
So, the issue becomes much grander than personal responsibility for oneself. If someone decides to leave the front door of their home unlocked, the risk is theirs alone. Their disregard for their own safety and the lack of security of their property does not leave their entire neighborhood, city and state vulnerable to crime.
But cybersecurity – or lack thereof – doesn’t work that way.
You may have heard about the SolarWinds hack that was announced late last year, but that had been stewing in industry and government systems for up to nine months. SolarWinds is a Texas-based provider of network monitoring software to businesses and the U.S. government. While clearly entrenched in the technology sector, the company lacked some shockingly basic security measures that left not only their systems vulnerable, but also the networks and data of hundreds, if not thousands, of businesses and government entities.
In hindsight, SolarWinds faults were many. The company lacked a Chief Information Officer (CIO) and any senior level cybersecurity employees. It had also reportedly regularly instructed customers to disable their antivirus before SolarWinds software installation. And in November 2019, more than a year before the big hack was confirmed, a cybersecurity researcher notified SolarWinds that its File Transfer Protocol (FTP) server was not secure and warned SolarWinds that hackers could upload malware to their system and distribute it to its customers.
And that’s exactly what happened.
While the actual cost of the trojan attack may never truly be known, as of early 2021, at least 100 business and nine federal agencies are confirmed to have been compromised by the high-profile hack. The breach itself cost SolarWinds at least $18 million in investigation and remediation costs so far; but early estimates related to all affected businesses and government agencies tallied up around the $100 billion range. Yes, that is billion.
Now the US Securities and Exchange Commission is targeting some companies that may not have disclosed as being affected by the high-profile hack, according to reports just this week.
So back to question. What do we owe each other?
As a business doing business, do we owe our individual clients the assurance we have taken the strongest measures to protect their personal data, like social security numbers and bank accounts? Do we owe our B2B customers the knowledge that we take cybersecurity seriously because we understand how breaches can negatively impact their operations and their customers? Do we owe insurers and industry at-large our part in preventing hacks and keeping cyber insurance premiums down?
The thing is, the SolarWinds breach wasn’t just a big news story, it is a cautionary tale that is sure to be told again and again, but with a revolving cast of bad actors and victims. Because until every business with an internet connection fortifies their systems and begins to take cybersecurity seriously, we are all at risk.
Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.