Should We Sue Companies That Get Data Breached?
Companies spend millions of dollars in marketing and advertising, with deep budgets that go from social media advertising, to Google advertising, to TV to even lavish advertising dollars at the Super Bowl. So you would think with all that money to attract customers to buy and spend money at their company, these companies would do better to spend hundreds of thousands of dollars at least on their cybersecurity. Ensuring the data on customers they take on, are safe and secure.
But the sad truth is, they aren’t spending nearly enough, and don’t take it as seriously as they should.
- Companies aren’t spending enough for cybersecurity
- Hiring BA grads with no experience or very little experience over hardcore IT cybersecurity specialists
- Having HR make the job posting and hire for the IT department is a failure
- Companies need to be held responsible for the data breaches that occurred due to pure negligence.
- Invest in your IT and cybersecurity team and infrastructure.
- My recommendations on what to do
Customers Need To Start Suing.
This is going to be a pretty harsh blog piece. It’s being written from a place of frustration and anger. I have stayed at the Marriott Hotel and I’m pretty sure like the 500million others, our passport information ,which was not encrypted, is now in the hands of notorious blackhat criminals & their criminal counterparts. The most they have at this moment is a 100million pound slap on the wrist for the databreach which could have been avoided.
Now some are pegging this off as our ‘new reality’ that data breaches will happen, implying we should accept it as inevitable (small Thanos reference). To those people I say, “what’s wrong with you?”. That’s passport information, the very thing that governments around the globe tell you to protect and keep secure. And a hotel just let that information get data breached because their IT team didn’t do right.
If they, Marriott Hotel in this case, hired a well educated, well qualified Team and VP of Technology, than this should not have happened right? Well, lets look at this for a second. I don’t know who their IT team was, and I don’t know how qualified the VP of IT was or the merits of their CTO, but from what I’ve seen after working on projects for large scale companies, is that often they hire because of a piece of paper, not because they see actual talent. They hired this team, they should take responsibility for it. Why are these data breaches being accepted as normal? Why aren’t 500 million people getting together to start suing companies that had breaches over stupid reasons such as not encrypting sensitive information like passport and credit card information, or not having strong passwords and cyber security protocols in place? Why? Because we’re being made complacent. We’re being made to accept that data security isn’t something we should expect because it’s ‘impossible’.
That’s strange, because these multi-million to mutli-billion $$$ corporations have the money to spend on a very good team (a balanced team of well educated and talented IT people) to oversee our data. So why are we saying that ‘cybersecurity’ is impossible. Worse, is that it’s easier than ever for many companies to get away from these breaches, and harder for the customers (victim) to sue. That’s not an accident, that’s by design. There are some class-action lawsuits, but obviously, we’re settling for less than we should get back. How do you settle something like stolen passport information, especially if you don’t even know you’re a victim. Out of the 500 million, did they accurately contact each customer to tell them, your data was breached.
Yes, if the IT team was strong, with a good cybersecurity team onboard, then you can say, it was unavoidable, they did all that they could. But daily what we’re seeing is how these million dollar companies are forgetting to put a password on, or using a easy password like 1234, or forgetting to encrypt or do anything basic in ITIL or cybersecurity. They should have 2 or 3 good white hat hackers on their team. This is why we’re getting data breached, this is why we should be mad. Because these companies aren’t taking our information, or our privacy seriously.
They Need To Take Responsibility
Government organizations, to Vaeem, to Marriott the list goes on, and on and on and on. The list is honestly too long to list- but this article does a good job of putting it down for you in summary form. Your donuts to your stocks, nothing is safe anymore because these organizations made cybersecurity a lower priority. Safe guarding themselves but not you- the paying customer.
We are seeing a pattern of no care in cybersecurity. We’re pushing cloud this, cloud that, but we’re not warning people and companies with public clouds, aren’t safe. AWS for example isn’t safe. Microsoft 365 isn’t safe. The team they’re hiring is probably under paid, over worked and working under a VP or CTO who hasn’t a clue of what he/she is doing. There are plenty of people online talking about how their AWS for their company got hacked and they’re left with a bill for example. It happens all the time, and don’t forget their biggest client is the CIA- that’s not comforting since we know all US based tech giants need to have backdoors to spy agencies like the CIA and NSA.
I’ve seen in a major clothing company with a VP who had Bachelors in Computer Science, alongside a bachelors in Artificial Intelligence, but didn’t know the basics in cybersecurity- yet this person was going to lead the team and was coming up with bizarre and insanely irrational choices for their company because she was the VP. She thought AWS was the solution that met their needs, she thought it was cheaper as well, until I came in and crunched the numbers to show it wasn’t. On top of not being cheaper, they would lose some level of control over their business. Needless to say she didn’t like that I pointed these out to the CEO. They decided to go with her ‘gut’ and a year later, they were on the phone with my company Techrich here in Vancouver, trying to get a proper package that actually met their needs. I had some people from Compevo also help them fix their local infrastructure because it was a mess- no wonder they were so vulnerable. My Compevo team and my Techrich team is a combo of talent and certifications, they are very strong in IT, so strong, that not only did they fix the issues, they hooked them up to packages that saved them money monthly, they also took on some of the role in their IT management since they no longer had a VP (yeh you can guess why).
Teams in IT are not paid well, they’re expected to work overtime without compensation, even to take work home. They are overworked, understaffed and burdened by an incompetent management team. You need to fix your IT management, the managers and executives who think they know best.
HR Needs To Stop Being Responsible For IT
Yes I said what all of IT is already thinking. HR is the single most prominent reason for why we have low quality cybersecurity and overall IT performance. They are using resume software created by other companies that filter through resumes, not even properly going through to see the quality and character of the candidate. They have all these qualifications they want ( bachelors, certificates etc etc) which many people are putting themselves into debt to get, only to get hired and not know a thing.
How is this possible when you have all those papers? Let me give you an example. CCNA – Cisco certificates. You can read and educate yourself in 3 months of study to get yourself a CCNA without having to touch a single Cisco hardware. HR lists CCNA for example, they want a CCNA certified person, thinking that this person knows how Cisco runs…surprise, no they don’t. They know how to get certified, but not because they know Cisco. Same thing for ITIL certificates and most certificates honestly.
And yet, there HR is, sifting through that resume, ignoring that 10+ years Cisco expert with real hands on experience for the CCNA certified guy.
I have a personal family member who works for a large fortune 500 company, he is an IT Director, who complained that HR gets all the resumes, then they pick like the top 5 or 10 and send them to him. And he has to pick from them and interview them. He can already tell being in IT and knowing the job better than HR, these candidates aren’t up to par. But he’s forced to hire from that pool. Hence, something like the the Marriott data breach happens.
I’ve seen HR short list candidates based on the degree’s they carried and yet they couldn’t do the job. Even though top companies like Google, Apple and Facebook don’t hire only degree holders.
It’s frustrating when seasoned Professionals like me can see it, but we’re not allowed to say it because it’s a taboo subject somehow. It’s a problem, we need to say it and we need to get back to hiring based on experience and training regularly on the job. The companies need to send their staff to keep getting more hands on training. Those people coming out with degree’s and certificates, you need to hire them, but you also need the other half of that team to be the hardcore total IT nutbags- those are the guys that will get you cyber secured. Those are the guys who can train your bachelors’ bot into a proper functioning and thinking cybersecurity specialist or IT team member.
I regularly get my staff in both Techrich and Compevo to learn new things. I had some staff who showed interest in Kubernetes, so I sent them to an online school to get certified but I warned, it will not be enough, start playing with containers. They passed the certification’s but saw they didn’t know anything, so they did what I told them to do, started playing around with it until they were applying the knowledge and making a mess of it all.
There were 2 staff who wanted to get into white hat hacking like a few of their colleagues, so I got them into white hat hacking online classes and gave them servers to go nuts on. They practiced and learned and now they’re part of my cybersecurity team at Compevo.
It cannot be that you only have a ‘certification’, you need hands on experience, which I know sucks for those who just graduated since the only way to get experience is to do the job. There needs to be experience on what to do when ‘shit goes down’.
You’re Going To Need The Guy Who Can Think On The Fly
You have an option between 2 candidates, the one with the bachelors in IT or the guy who spent all his time working. Hire the guy who spent all his time working. Chances are, during the 4 years that other candidate was learning from old books at a school, this guy was at the job learning on the fly. What does that give you? The IT guy who can think on the fly, who can process and respond faster, who can learn new skills and tailor your IT needs better, the guy who can save you money and secure your company better. Those that come out after 8 years of school or even 4 years of schooling are going to know a lot of stuff, but they’re not going to be smart, they’re going to be book smart in IT. They’re going to tell you stupid things like ‘lets Microsoft 365 this’ or “lets do AWS” because they were trained like zombies to rely on multi million dollar corporations to keep your companies data and your customers data insecure with them, to make everything theirs and keep nothing of yours. They’re whole goal is to make you reliant on their product so that you don’t look at how insecure you’re being.
I’m not saying don’t hire the Bachelors degree at all. I’m saying if that bachelors degree is that important to your company, by all means do it, but remember it only takes 1 hack for your customers to not trust you anymore, and if you’re a small to medium scale business, that trust is 100% your image.
To prevent these ‘databreaches’ we need to see law suits. See how fast the industry and companies change their tune on privacy and cybersecurity. Here are some of my recommendations .
- You need to fire your HR from hiring IT. This practice needs to stop. The head of IT, or the manager that is responsible for IT needs to be the one making the job description and hiring, not HR.
- Make a combo team. As much as I vouch experience over a Bachelors or even certificates, I still do think having a team where there is a blend of both is a good idea. It makes for solid IT team. 60-70% should be the IT master’s who live and breath IT, and the other bit should be the certificates and Bachelors. Together, you should have a good team looking after your cybersecurity and IT needs
- The company should be paying for extra training and giving a bigger IT budget. If you have a 2 person IT team overlooking your development, programming, ecommerce, cybersecurity etc etc all IT, because you think it’s all the same thing: you need to be fired. These are all separate jobs and should have a separate person for each position. If you are overworking your IT team, you’re going to have holes in your IT infrastructure, and security.
- Give them your loyalty and care. Depression and anxiety are rampant in IT, something that isn’t discussed. You need to stop overworking your IT team just because you’re company can. Give them praise, bonuses, even coffee and a lunch every Friday would build up spirits.
- Make sure your IT team has their IT needs met. Don’t skimp on IT budgets here. Pay them well, give them good vacations and a proper titles. I know of Help Desk positions that routinely have senior level work, but they aren’t paying them for it, nor giving that title to match it.
- Continue to train and teach. IT is always changing with new technology emerging all the time. Get your company to set aside some budget to keep your team on the ball. This way your IT team will be up-to-date with all the latest IT. This helps keep your company efficient.
That’s all I have for today, but keep in mind my suggestions. Think about what this is costing the customer. I know I do not trust companies that have been hacked as a result of neglect. Vaeem keeping unencrypted passwords, Marriott leaving no passwords and so many other examples, have made me loyal to those companies that care about my private information and critical of those who don’t.
What are your thoughts? Should people start suing companies that have breaches as a result of neglect or down right oversight?