This is one of those articles that we all need to read and think about. Kate Fazzini reports:
The cybersecurity vendor marketplace is growing so crowded that some companies have been resorting to extreme tactics to get security executives on the phone to pitch their products, including lying about security emergencies and threatening to expose insignificant breaches to the media.
[…]
For instance, all four executives said vendors tried to draw their attention to potentially exposed data on Amazon and Microsoft Azure cloud servers. None of this data included any current material information.
[…]
Two of the executives also said vendors used questionable tactics just to get through to their phone. Vendors have called in to report “emergency” incidents, then once they got past the company’s gatekeepers, turned the “alert” into a sales pitch. They have also lied to administrative staff about their reasons for calling, characterizing their call as a matter of grave security importance, only to present a sales pitch once they’d worked their way up to the right executive.
Read more on CNBC.
As someone who attempts to make notifications every week and who is never calling with a sales pitch because I don’t sell anything, what these unethical vendors are doing concerns me greatly as it makes it harder for companies to trust that callers calling to notify them have good intentions.
But how do we deal with this..? Ideas, folks?
I’m using this article as a basis for an ethics paper and found your query while doing background research. When I read the article, the first 3 things that came to mind are:
1. what are the statutory requirements for each organization to report a breach in the regions in which they do business?
2. anyone using those blackmail-like tactics (do this or I’ll turn the media against you) should be reported to the FBI. Period.
3. wouldn’t a better way to head this off be for the PR departments of these companies, in conjunction with the IT departments, to put out a statement that a vulnerability was detected and corrected, and that this is part of an ongoing effort to monitor their systems and protect all data, whether it was confidential or not? It could also be included that a cybersecurity vendor (unnamed) tried to use that information as leverage to secure a meeting and was reported to the FBI. It seems to me that this would be a much better way of handling the situation and discouraging this type of behavior. Get ahead of the news, own the narrative, and then put the warning out to other sleezy organizations that you can’t be bullied into a meeting.
The industry must be trusted in order for us to be able to influence and educate the organizations we are attempting to help. There are crooks and liars in every business. The goal is to pull the rug out from under them so they have no secure footing. Maybe the best way to make the first connection is to not attempt to get to the head. If the goal is to just warn of a vulnerability and leave it at that, then maybe contacting the department directly responsible and giving them the information is enough. We can’t put out all the fires in the world. We can only let them know where the fire is. The rest is up to them.
Part of the problem is that some vendors will claim that they made no such extortion or high-pressured demand and the entity is just trying to deflect the spotlight from their failure to the vendor. And in some cases, they’ll be right.
There are plenty of legit whitehats/researchers who get met with hostility and accusations when they really are just trying to notify an entity. Hell, I’ve been accused a bunch of times of conspiring with hackers or trying to extort just because I try to alert entities that they’ve been hacked and I’ve been sent data, etc…
I do like the idea of naming and shaming sleazy vendors or “researchers,” even if the FBI isn’t contacted, but that, too, is still risky.
As to your other suggestion: I never ask for the CEO of a firm, but because I get a lot of run-around and extension-chasing, I do often ask for the CISO or Chief Privacy Officer — desperately trying to get someone who will appreciate the seriousness of what I’m trying to alert them to.
Just some food for thought for you from the trenches of notification.
I hope you’ll share your ethics paper when it’s done. I’d love ot read it!