Stop the Cybersecurity Blame Game

In December, genetic testing company 23andMe acknowledged a hack that led to the theft of nearly seven million customers’ data. As the New York Times reported, criminals obtained “ancestry trees, birth years and geographic locations.” This kind of digital theft may have felt personal to many of those impacted.

The other thing that makes the response to this breach surprising was that the genetic testing company appeared in media reports to place much of the blame for the incident on customers. After a class action lawsuit was filed, 23andMe’s attorneys said in a letter to plaintiffs that impacted customers “used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents.”

Digital intrusions are inevitable, even at companies with the strongest of protections in place. But how a company approaches protections for their customers, and the fallout after an incident, can make the difference between maintaining, building, or losing trust. The right approach is to take full responsibility, and take full ownership of customer security, instead of appearing to play the blame game. Data about consumer preferences makes this point in a powerful way: 94% of consumers Telesign surveyed in 2023 agreed that businesses — not the consumers themselves — bear responsibility for protecting their digital privacy.

Our survey also shows that, paradoxically, respondents admit they don’t always do enough themselves to protect their own data. That can include, as the 23andMe lawyers pointed out, not changing passwords after being alerted they need to do so. However, that does not change the fact that, in order to maintain trust, it is the digital business that needs to own the responsibility to protect digital privacy. Through this lens, it is always a bad idea to even subtly suggest that it is the customer’s job to protect themselves in order to deflect the blame.

Once a customer signs up for your service, it becomes your responsibility to protect the data they share with you from fraudsters. The good news is there are many ways to do that. For example, require multi-factor authentication (MFA). This simply means an extra step, often a one-time-passcode (OTP) sent via text, email, or through many other channels, before a log-in or transaction is approved. And by the way, sending a highly secure OTP via text message costs less than one penny in the United States. When you value a customer relationship, that is a minor but smart investment. There are also other options, such as RCS messages, that are increasingly effective, secure, and cost-effective.

In addition to stronger passwords and MFA, another layer of defense for enterprises is to utilize services that allow them to monitor breached data on the dark web, which helps determine if and when customer data has been compromised. In those instances, additional security steps can be requested to secure both the customer’s account and your digital infrastructure.

Even with all of these resources available to protect customers, we too often see the trend of not taking enough responsibility to protect people on digital platforms. For example, when it comes to MFA, some companies are removing Short Message Service (SMS) verification — or text messages, as they are commonly known —as an option. Alternatively, some companies now charge for the service. Some suggest that SMS verification is inherently less secure — which it can be, in some cases. However, there are solutions that score phone numbers for fraud risk before an SMS message is sent. And others that allow “silent” verification in which a number is tested for fraud risk without the need to send a text message. These innovations can stop many fraudsters in their tracks.

On the other hand, taking ubiquitous tools away from customers that allow them to keep their accounts secure — or making them pay extra for them — sends the wrong message. In the case of SMS verification, companies that do that are essentially saying that they are unwilling to pay a single penny to help a customer verify their identity in order to keep their account safe.

It's also crucial not to blame customers for digital intrusions when they happen. There are many reasons people may not take every necessary step to protect themselves online. To make an analogy, most of us know we should eat right and exercise, but sometimes fall short of that standard. So, assume customers aren’t doing enough to protect their digital identities and step up to help them do it when they are on your platform. That means creating the right amount of friction when they are logging in, or transacting, including putting in place multi-factor authentication. Educate them on why that friction is there: to keep their digital interactions safe. And if things go wrong, take responsibility. Explain the steps you are taking to fix the problem.

Owning that responsibility — never blaming — is one of the secrets to building and maintaining trust. When you make that investment in your customer relationships, anything is possible.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.