Who to Blame? – PR and a Cyber Breach Blame Evolution

Who gets the Blame PR 101

Having worked in cyber security for a very long time it has always been an interest to us when we see a data breach get announced, how it is messaged and how it is controlled by the organisation affected. Let me be clear right at the start- This is not a victim blaming exercise, but more of a lighthearted /humorous observation of how this is handled and how it has changed over the years, for the good or the worse.

In many ways, we are in a far better situation now than we were a short 15-20 years ago. I recall talking to a potential client and asking them what they would do in the case of the cyber security incident. At the time in the news was a small online startup that had suffered one and was now put out of business. I remember the client saying with a chuckle “We would start by not telling anyone!”

Fortunately, times have changed a bit. Mandatory reporting is largely in force across the world, and with that organisations have responded by largely committing to transparency and a well-executed commitment to releasing information as it comes to light in the investigation. But one element has not changed. Who does the breached organisation blame?

Certainly, the obvious one is the hackers themselves. But the problem for an organisation is that just saying a hacker did it is not enough! As you are supposed to have defences in place for your standard “hacker” and the idea that your organisation could be breached with ease by some random operator (which may be the truth) does not instil confidence in your organisation. So the Public Relations (PR) department will advise you to add some flourish to your announcement that will subtly (or not so subtly) give the impression to the reader that whilst this breach happened, it would have happened to any organisation because the attack in this case was  “insert special reason here that shifts blame”.

1st PR Evolution- 1980-2018

The PR timeline of this excuse has been interesting. It started with the “Deny Everything” policy. Basically, you gain nothing by admitting it was your data or systems that have been breached, in fact you lose a lot, so the best policy was to deny it was your data or breach and hope the attention went away. In most cases it largely did, as awareness about the value of the data and how it can be used by nefarious actors was not widespread. Those brave or honest organisations that did admit to a breach were widely lampooned, or in some cases went out of business. But for a very long time, this was an effective approach to managing a data breach. Looking back now it seems crazy to us!

2nd PR Evolution- 2018-2023

However something changed. The global adoption of Mandatory Breach Laws and regulations, particularly coming into effect from 2018 onwards globally. Now organisations could not legally “Deny Everything” and in fact must proactively report a breach. But how do you do this without looking like you didn’t properly secure the data in the first place? This brings us to the second evolution in PR messaging / blame game. During this period, the handbook said that when announcing a breach for your organisation, the important part was to use the phrase “possibly nation state” in your press release. Follow this up with messaging that alludes to it being “insert nation state most acceptable for your demographic”.  This would allay peoples fears that the organisation was not properly securing their data or systems, and that in fact it was the victim of an extremely sophisticated state threat actor who would stop at nothing to gain access. Most people would shrug and accept this as a truth and not wonder if it really was a nefarious nation state spy agency that decided to hack a company to gain their customer’s information.

3rd PR Evolution- 2023 onwards

The nation state messaging worked very well for a while and PR teams were happy. This was the perfect excuse for any organisation, as it diverted attention away from your organization and focused it on usually unnamed but strongly hinted at countries. It was also helped by some high profile nation state operations that did make headlines earlier, like Stuxnet and later on NotPetya, that demonstrated the power of Nation State threat actors in the Cyber world.

However, a problem arose with this message! in August 2022,Llloyd’s of London announced that Cyber Insurance policies would no longer cover certain nation state cyber attacks taking effect from the 31st March, 2023.  This announcement has had a profound impact on the industry, as seeming overnight Nation States stopped being involved in large data breaches! But this caused an issue for our messaging. We need to be able to blame someone that:

  1. Isn’t the organisation
  2. Is plausible.
  3. Non-identifiable (legal issues here otherwise)
  4. Will be accepted as beyond our control / difficult to stop

 

And this has brought us the latest in PR Evolution: the “Third Party”. This can take the form of “Third Party supplier or just a Third-Party organisation. Using this messaging when reporting your data breach, it is important to say words along the lines of “we believe the attack originated from a third party”. The definition of what is a third party is quite hazy. It can be a systems integrator, a Security MSSP, Software supplier etc. Basically, it seems to be defined as “Anyone who isn’t from our organisation but has come into contact with us more than once”.

The point of this isn’t to name and blame anyone who does this. It is just to point out how this has changed and how the PR messaging from organisations suffering from a data breach often muddy the waters themselves whilst trying to minimize the damage the breach causes.