Dispelling the Myth of Boring Cyber

Claudiu’s Observation: As part of a rapid fire succession of TV interviews earlier this week, I had the opportunity to read a 12-page report prepared for the board of directors of the Toronto Public Library following the security breach that devastated IT operations, affected more than 100 branches, compromised the personal information of employees going back to the previous millennium and shattered the preconception that the organization's security infrastructure was at any level of maturity prior to the surprise attack.

Leaning heavily into the narrative that a low level of preparedness is inherent, if not endemic, to public sector organizations, the report takes pains to explain that a deterioration of social norms is the evidence pointing to a trend towards the moral degeneracy that fuels attacks on socially important elements, such as libraries and other places of cultural importance. Although the report stops short of implying that security is tedious or unnecessary, it strongly hints at the suggestion that were it not for the aforementioned negative trends, the organization's previously lackadaisical approach to security would have continued to be sufficient to enable its operations.

Alas, the necessary evil of data protection safeguards, with all those preventative measures, constant need for monitoring and detection, capacity for rapid intervention and all the tedium that goes along with the care and feeding of this entire aspect of modern operations would ostensibly be superfluous, were it not for the forces of evil that are now a fixture of society.

That kind of rhetoric might be acceptable if it was purely intended as a soporific for the consumption of a non-IT savvy board of directors, but when the news media buy the narrative and reprint it without a shred of critical interest, it tends to do the public the grave disservice of desensitizing the reader to what is a catastrophic event with far-reaching consequences. And what's worse, it invites the risk of minimizing, trivializing and normalizing the high-impact losses incurred by victims whose irreplaceable identity data was stolen as a result of a culture that assumed that security might be a necessary evil, but not worth seriously engaging with just yet.

Claudiu's Conclusion: The risk of downplaying breaches and externalizing blame is that an indiscriminate subset of the media will adopt it verbatim, doing itself and the public the disservice of setting a normalizing precedent for future incidents. To be clear, cyber breaches are always serious and sufficient effort should be invested in understanding how they unfolded and what lessons can be drawn from the situation.

Suggested questions for cybersecurity experts:

Finally, how can astute reporters help the reader to spot logical fallacies? For instance, the report's conclusion lamented the focus of cybercriminals on organizations with valuable data to be stolen. This is positioned as the antithesis of "intellectual freedom and openness for all". Is this a fair point to make, or would a better outcome be achieved by simply recognizing that security, privacy and sensible data protection practices actually strengthen the fabric of civil society, contributing strong elements to a pervasive resilience that enhances everyone's peace of mind, among numerous other tangible benefits.

For professional analysis and media soundbites by a certified security and privacy expert with 35 years of experience, click here to request an interview with Claudiu Popa, author of the Canadian Cyberfraud Handbook, CEO of Datarisk Canada, President of Managed Privacy Canada and co-founder of the KnowledgeFlow Cybersafety Foundation, Canada's only non-profit dedicated to bringing digital literacy to vulnerable sector audiences via accredited data protection professionals.