Stop the Cybersecurity Blame Game

  • By Christophe Van de Weyer
  • Mar 28, 2024

In December, genetic testing company 23andMe acknowledged a hack that led to the theft of nearly seven million customers’ data. As the New York Times reported, criminals obtained “ancestry trees, birth years and geographic locations.” This kind of digital theft may have felt personal to many of those impacted.

The other thing that makes the response to this breach surprising was that the genetic testing company appeared in media reports to place much of the blame for the incident on customers. After a class action lawsuit was filed, 23andMe’s attorneys said in a letter to plaintiffs that impacted customers “used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents.”

Digital intrusions are inevitable, even at companies with the strongest of protections in place. But how a company approaches protections for their customers, and the fallout after an incident, can make the difference between maintaining, building, or losing trust. The right approach is to take full responsibility, and take full ownership of customer security, instead of appearing to play the blame game. Data about consumer preferences makes this point in a powerful way: 94% of consumers Telesign surveyed in 2023 agreed that businesses — not the consumers themselves — bear responsibility for protecting their digital privacy.

Our survey also shows that, paradoxically, respondents admit they don’t always do enough themselves to protect their own data. That can include, as the 23andMe lawyers pointed out, not changing passwords after being alerted they need to do so. However, that does not change the fact that, in order to maintain trust, it is the digital business that needs to own the responsibility to protect digital privacy. Through this lens, it is always a bad idea to even subtly suggest that it is the customer’s job to protect themselves in order to deflect the blame.

Once a customer signs up for your service, it becomes your responsibility to protect the data they share with you from fraudsters. The good news is there are many ways to do that. For example, require multi-factor authentication (MFA). This simply means an extra step, often a one-time-passcode (OTP) sent via text, email, or through many other channels, before a log-in or transaction is approved. And by the way, sending a highly secure OTP via text message costs less than one penny in the United States. When you value a customer relationship, that is a minor but smart investment. There are also other options, such as RCS messages, that are increasingly effective, secure, and cost-effective.

In addition to stronger passwords and MFA, another layer of defense for enterprises is to utilize services that allow them to monitor breached data on the dark web, which helps determine if and when customer data has been compromised. In those instances, additional security steps can be requested to secure both the customer’s account and your digital infrastructure.

Even with all of these resources available to protect customers, we too often see the trend of not taking enough responsibility to protect people on digital platforms. For example, when it comes to MFA, some companies are removing Short Message Service (SMS) verification — or text messages, as they are commonly known —as an option. Alternatively, some companies now charge for the service. Some suggest that SMS verification is inherently less secure — which it can be, in some cases. However, there are solutions that score phone numbers for fraud risk before an SMS message is sent. And others that allow “silent” verification in which a number is tested for fraud risk without the need to send a text message. These innovations can stop many fraudsters in their tracks.

On the other hand, taking ubiquitous tools away from customers that allow them to keep their accounts secure — or making them pay extra for them — sends the wrong message. In the case of SMS verification, companies that do that are essentially saying that they are unwilling to pay a single penny to help a customer verify their identity in order to keep their account safe.

It's also crucial not to blame customers for digital intrusions when they happen. There are many reasons people may not take every necessary step to protect themselves online. To make an analogy, most of us know we should eat right and exercise, but sometimes fall short of that standard. So, assume customers aren’t doing enough to protect their digital identities and step up to help them do it when they are on your platform. That means creating the right amount of friction when they are logging in, or transacting, including putting in place multi-factor authentication. Educate them on why that friction is there: to keep their digital interactions safe. And if things go wrong, take responsibility. Explain the steps you are taking to fix the problem.

Owning that responsibility — never blaming — is one of the secrets to building and maintaining trust. When you make that investment in your customer relationships, anything is possible.

Featured

  • AI Is Now the Leading Cybersecurity Concern for Security, IT Leaders

    Arctic Wolf recently published findings from its State of Cybersecurity: 2025 Trends Report, offering insights from a global survey of more than 1,200 senior IT and cybersecurity decision-makers across 15 countries. Conducted by Sapio Research, the report captures the realities, risks, and readiness strategies shaping the modern security landscape. Read Now

  • Analysis of AI Tools Shows 85 Percent Have Been Breached

    AI tools are becoming essential to modern work, but their fast, unmonitored adoption is creating a new kind of security risk. Recent surveys reveal a clear trend – employees are rapidly adopting consumer-facing AI tools without employer approval, IT oversight, or any clear security policies. According to Cybernews Business Digital Index, nearly 90% of analyzed AI tools have been exposed to data breaches, putting businesses at severe risk. Read Now

  • Software Vulnerabilities Surged 61 Percent in 2024, According to New Report

    Action1, a provider of autonomous endpoint management (AEM) solutions, today released its 2025 Software Vulnerability Ratings Report, revealing a 61% year-over-year surge in discovered software vulnerabilities and a 96% spike in exploited vulnerabilities throughout 2024, amid an increasingly aggressive threat landscape. Read Now

  • Motorola Solutions Named Official Safety Technology Supplier of the Ryder Cup through 2027

    Motorola Solutions has today been named the Official Safety Technology Supplier of the 2025 and 2027 Ryder Cup, professional golf’s renowned biennial team competition between the United States and Europe. Read Now

  • Evolving Cybersecurity Strategies

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

Most   Popular

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.