As a long time Have I Been Pwned fan, I like to keep up with what Troy Hunt is saying about security. In this post, he makes the argument that publicly shaming bad corporate security is a net positive. This kind of direct public pressure, either from journalists, security researchers, or anyone with social reach, impacts not only the company shamed directly. It can have a knock-on effect within an industry, with companies rushing to not get caught in a similar stance to a competitor.
The piece specifically responses to criticism of shaming companies for posting ludicrous security statements on social media, one that are clearly false and easy to mock. For Troy, having sympathy for the “poor customer service rep” doesn’t do anyone any good. Regardless of their pay grade, they are a mouthpiece for a larger company, and they are choosing to engage on security issues. Troy goes on to give some advice on how to engage with security question on social media, that all companies should implement.
Overall I agree with Troy that bad security deserves to face public scrutiny, even shame. And any customer service rep who engages with security researchers or journalists is just asking for trouble. But it is worth considering that this is the age of the cheeky corporate Twitter account. Brands are building personas for their social media profiles, anything that comes at that account will be filtered through that lens of ambient snark. This doesn’t excuse ignorance. Indeed, it almost certainly makes it worse. And it’s just those kind of exchanges that go viral and really shame a company. I guess I just don’t like the idea of anyone getting fired as a result of following the brand guidelines of a snarky Twitter persona (also that statement may be the most cyberpunk thing I ever write).
IT security, like the rest of IT, often takes a less than proactive approach. If public shame for bad security causes positive change, then it’s worth it. But let’s just retrain the social media managers how to better engage technical security critiques rather than fire them, okay?
Troy Hunt comments:
What public shaming does is appeals to a different set of priorities; if, for example, I was to privately email NatWest about their lack of HTTPS then I’d likely get back a response along the lines of “we take security seriously” and my feedback would go into a queue somewhere. As it was, the feedback I was providing was clearly falling on deaf ears.
Read more at: The Effectiveness of Publicly Shaming Bad Security