No, Panera Bread Doesn’t Take Security Seriously is a heartfelt piece by Dylan Houlihan regarding a company that was notified responsibly of a privacy breach but apparently failed to act until, some 8 months later, it was informed by Brian Krebs. Then, all of a sudden, it reacted.
This is far from the first time a whistleblower has been rebuffed.
Organizations clearly need strategies, policies and procedures for receiving and dealing with incident notifications and warnings of all sorts.
Doing so makes sense for several good reasons:
- Business reasons e.g. hacking, fraud, privacy breaches and other inappropriate disclosures;
- Compliance reasons e.g. PCI-DSS and [soon] GDPR;
- Ethical/social reasons e.g. offensive/inappropriate behavior or bribery & corruption by workers, failure to uphold corporate social responsibilities;
- Bringing those responsible for various issues to account.
So why don't they? Lame excuses include:
- It's not the done thing;
- We can't be bothered - we don't give a hoot - we simply don't care;
- It hasn't occurred to us;
- It is too risky to open Pandora's box;
- It positively invites trouble;
- It is too expensive;
- It is not a priority - there are More Important Things we'd rather do;
- We didn't invent it;
- We are not formally required to do anything of the sort, therefore we won't even consider it - it's not on the table.
More sinister reasons include:
- We are scared of being found out and held to account;
- We know we have big issues already - telling us won't help;
- So long as we have our eyes closed and fingers in our ears, we can pretend everything is alright.