When faced with a cyber security breach, it's easy to point the finger. But there are often multiple factors at play that make businesses vulnerable to an attack. Placing the blame with either an individual or a team can ignore the wider issue and leave the organisation susceptible to future crimes. So, how can businesses effectively deal with attacks without getting personal? 

Approach is as a ‘whole company’ issue

"It is quite typical to blame someone for a successful attack," says Lorenzo Grillo, managing director of cyber risk services at Alvarez & Marsal LLP.

There are two types of threat, Grillo explains: adversarial and accidental threats. "In the adversarial attacks where people try to attack the company, usually the blame is on the IT department or the cyber department. For an accidental one, where someone inadvertently makes an action that compromises the company's security, the blame is on that person." 

He believes the first step to a 'no blame' culture is understanding that cyber security goes beyond the IT department.

"The only way to avoid blaming it on someone is to understand that cyber security is not an IT responsibility but is a company responsibility," says Grillo, who believes that cyber security should be on the agenda for the whole business.

"And with that, the board directors should know the cyber risks and the level of the risk appetite. They should manage cyber risk the same way you manage any other enterprise risk."

Companies can spread knowledge of the risks by having effective cyber security policies that the whole business is aware of and mandatory training that evolves with criminal behaviour.

Expect more than one failing

Beyond IT teams, it's also important not to fixate on an individual in the light of a cyber attack. 

Jim Gee, head of forensic services at audit, tax, advisory and risk firm Crowe, says there often isn't one single person responsible for an event. Instead, the issues are generally procedural or managerial.

"There isn't a simple technological fix to prevent cybercrime – it is a question of when, not if – but we need to focus on the right processes and management rather than blame individuals," says Gee.

Sometimes those in governance or managerial positions have not had access to independent specialist expertise to challenge those responsible for IT. At other times, incident recovery plans have not been tested in mock response exercises.

"Sometimes organisations don't have a specific cybercrime response plan, only something much more general; and sometimes there is a lack of understanding about the seriousness of the cybercrime problem and consequently, a lack of training and awareness," he says. 

Investigate thoroughly

The best way to prevent an issue from occurring again is to investigate it properly while ensuring it doesn't become a witch-hunt.

"The purpose of an investigation shouldn't just be to understand who caused the incident, but rather should focus on how it occurred and delving deeper into the why," says Javvad Malik, security awareness advocate at security awareness training provider KnowBe4.

"In doing so, organisations can not only avoid blaming individuals, but find and fix the root causes of the actual incident; whether that be through training, additional technology, or fixing a broken process."