The ethical aspects of cybersecurity are not a big part of the curriculum of IT security students, but they should be. Cybersecurity is more than technology. Hacks and breaches can have a profound impact on people’s privacy or even their professional career. With technical cybersecurity and network consultant Fons Quidousse we discussed how ethics should get more attention and how Management should be its sponsor.
A key aspect of cybersecurity is the protection of privacy and confidentiality of data. What’s your view?
Fons: We often talk about the CIA triad, where CIA stands for Confidentiality, Integrity and Availability. If any of these three elements is breached, we talk about a hack, regardless of whether the hack was intentional or not. As companies are increasingly interconnected with one another, the impact of a breach at one organization will have an impact on other organizations too. Leaking an email password, for instance, can have much wider ramifications than just to the company where the password was leaked. This applies to any hack. Just look at what happened when IT security was breached in a school in Kortrijk, recently. The school had to be closed for several days to give the IT department the time to get everything up and running again.
As companies are increasingly interconnected with one another, the impact of a breach at one organization will have an impact on other organizations too.
Ethics vs revenue
Are organizations alive to the wider ramifications of breaches?
Fons: The situation is not perfect yet, of course, but we are making progress. In the domain of privacy for instance, the GDPR legislation has spurred companies to get their house in order. It would be better, I think, if organizations did not wait for Government to impose rules and regulations. Being proactive can be rewarding.
Ethical questions are never easy for businesses that tend to focus on revenue and profit. This is not just the case for cybersecurity, you see the same thing when it comes to climate change. That’s why, I think, that any security audit needs to take a broad view. If you’re conducting an audit in hospital, the auditor needs to highlight the consequences of spending too little on IT security.
Perhaps we should alert Management to the cost impact of a security breach? Should we monetize the ethical consequences?
Fons: You are right in stating that Management should care more. Cybersecurity is an issue that should be discussed at management level and should be championed by Management. I think you should make it more tangible, for instance by looking at a personal use case: what happens if someone can’t pay the rent because his company was hacked and had to shut down for a long period? What happens if a patient does not get medication on time? That will get people thinking. On a second level, you need to look at the cost you can avoid by having proper IT security. That’s a risk analysis: what is the cost of updating security infrastructure versus the cost of a hack or a ransomware attack. On a third level, you manage the long-term impact of cybersecurity, for instance by instilling a culture of security where employees feel better in a company that clearly demonstrates that cybersecurity is a corporate value. This is more difficult to calculate, but employee experience is a key parameter.
Is the cost of failed cybersecurity easy to measure?
Fons: Some costs are easy to quantify. If a ransomware attack shuts down a factory for a couple of weeks, you know what revenue you are missing. Other aspects are less easy to measure in numbers. How do you measure a tarnished reputation? A cyberattack that is widely publicized will cause reputational damage. The extent of the damage may differ from one industry to another, and a good communication plan can limit that damage.
Another ethical question on ransomware is whether you should pay up or not. What do you think?
Fons: Ha, that is literally the one-million-dollar question. I don’t have a clear-cut answer. As an outsider, it is easy to say that you should not pay up. Paying is an incentive for criminals to continue their line of business. It’s like not negotiating with terrorists, right? But if a ransomware attack shuts down your company, I understand that it’s tempting to pay up and hope you get the decryption keys. I can only repeat that setting up proper security is the best way of preventing ever having to pay. Make sure your cybersecurity is optimal, ensure you have the right backups that are stored in an external location… That’s the best insurance against ransomware.
Cybersecurity is an issue that should be discussed at management level and should be championed by Management. I think you should make it more tangible, for instance by looking at a personal use case.
Finding the right balance
Sometimes there’s a bit of a dilemma in cybersecurity: if you are monitoring everything on your network, couldn’t it happen that you are actually going further than what privacy allows?
Fons: It’s a very thin line indeed, but that is no different in the virtual world than it is in the physical world. If the police conduct a search in someone’s home, that’s also a breach of privacy. But a necessary one, perhaps. Such a search will only happen when there are indications of a crime. In the real world, we have more experience in finding the right balance than in the virtual world. There’s more experience and a better legal framework. It is less clearly defined what actions a security administrator can or can’t perform. On the other hand, as an end-user, you should not assume that an IT administrator is watching your every move and recording it. It’s a question of mutual trust, I guess. Companies implement security to do right, not to do wrong. Of course, an IT administrator can overstep his privileges, just like a police offer could make improper use of his service gun.
On the same topic, there’s also the question of a Data Protection Officer (DPO) or Chief Security Information Officer (CISO) stumbling upon illegal business practices when auditing a company. Is it clearly defined what needs to be done? Should a DPO act as a whistleblower?
Fons: A DPO will always take a broad view, looking at data classification, how data is stored… In an ideal world, illegal activities will be prevented. If it does happen anyway, an organization will need to decide whether it is something that can be solved internally or if the authorities need to get involved. That’s why the use of an external DPO is always a good thing. An external DPO need not fear losing their job by acting as a whistleblower.
Simac takes a broad view of cybersecurity
Do you see it as Simac’s role to keep insisting on the ethical aspects?
Fons: We should. And I think it differentiates us in the market. Anyone who has worked or partnered with Simac knows that we always look beyond the technology. It is in our DNA to take a broader view and not just reply to technical requirements. We put ourselves in the shoes of the customer and try to see what is important to them in the long run. That is typically the relationship that we build with our customers.
Fons Quidousse is technical cybersecurity & network consultant at Simac ICT Belgium. He helps his colleagues and clients to find the best possible solutions for challenges concerning networks and security. Fons has been working at Simac since October 2020.Contact us now