Security breach? Don’t blame your employees

It's not just the responsibility of the employees to keep your startup's data safe

“As we all know, humans are often the weakest part of the security chain.”

Those are the words of Reddit CTO Christopher Slowe, who was quick to play the blame game in a post announcing that Reddit experienced a breach of internal data last week. He explained that the platform was compromised after an attacker sent “plausible-sounding prompts” to employees that redirected them to a website impersonating Reddit’s intranet portal in an attempt to steal credentials. Reddit said users’ data was safe.

Hackers successfully obtained an employee’s credentials, Slowe said, before calling out said employee — who decisively self-reported the incident to Reddit’s security team — as the “weakest link” in the company’s security defenses. (Ironically, Slowe went on to advise users to “update your password every couple of months,” a practice that is no longer recommended by most cybersecurity experts.)

Reddit isn’t alone in pointing the finger following a breach, and many organizations have defaulted to a blame culture when it comes to data security.

Equifax, which suffered a data breach that compromised the Social Security numbers and other sensitive data of more than 145 million people, blamed a single IT technician for the incident. “An individual did not ensure communication got to the right person to manually patch the application,” said former Equifax CEO Richard Smith, who was forced to resign within two weeks of the massive breach’s disclosure.

And SolarWinds — no stranger to security lapses — blamed an intern after it was revealed that one of the company’s update servers could be accessed using the password “solarwinds123.”

You’re going to get hacked

Your startup is likely going to get hacked. Data from cybersecurity company Check Point shows that organizations in the U.S. were hit by an average of 849 cyberattacks per week last year, and startups are often a prime target.

When your startup does get hacked, it will be because of human error. Social engineering attacks — whereby attackers prey on and manipulate employees into handing over sensitive details — are on the rise and have claimed a number of high-profile corporate victims in recent months, from Twilio and Mailchimp to Revolut and Uber. Verizon’s annual data breach investigations report last year found that as many as 82% of data breaches involved humans in some way.

However, these mistakes are rarely malicious and typically come as a result of simple human error, inattentiveness or a lack of training on how to handle sensitive information. While the word “mistake” implies that the employee in question has committed an act or judgment that is misguided or wrong, this is most often not the case.

Regardless, not a single one of these reasons justifies any organization blaming the employee for the breach. And it certainly doesn’t justify firing said employee. Security startup Tessian published research last year that found that one in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security.