When it comes to cybersecurity, there exists no magical solution to ward off attacks. The reality is that these incidents are unavoidable, rendering the act of assigning blame counterproductive. It is crucial to recognize the efforts of security professionals who work tirelessly with the available resources at their disposal.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
A step-by-step guide for securing yourcompany against cyber attacks.

Cyberspace is vast and complex, encompassing a multitude of technologies. Every piece of technology employed within an organization brings inherent risks and vulnerabilities. Despite this, we often have high expectations for employees to navigate these digital challenges flawlessly.

Therefore, it is vital to foster a culture of security awareness where employees are cyber-vigilant and shielded from manipulation by cunning threat actors. Instead of solely burdening security personnel with the responsibility of risk mitigation, it is important to distribute this responsibility throughout the workforce.

Rejecting the blame culture

Alexander Pope famously stated, “To err is human,” reminding us that everyone is prone to making mistakes. It is essential, therefore, to cultivate an environment where employees are encouraged to understand and adhere to cybersecurity policies established by the organization. When employees inadvertently click on a malicious link or download a suspicious file, they are faced with two choices: either ignore the mistake or take responsibility and report it.

In a blame-centred cybersecurity culture, people are often reluctant to report errors, increasing the likelihood that the company will suffer from the actual consequences of the threat. Conversely, fostering a climate that embraces and promotes self-reporting can foster an open cybersecurity culture.

This, in turn, encourages employee engagement and heightened vigilance, effectively reducing the organization’s exposure to cyberattacks.

Rather than punishing employees for failing phishing tests, our focus should be on creating a culture that fosters and supports a cyber-vigilant workforce. By adopting this approach, we can achieve significantly better outcomes in terms of reducing cyber risk.

Blame culture

Who is responsible for what?

Determining accountability when a business falls victim to malicious individuals can be complex, as is often the case in cybersecurity. The ineffectiveness of solely warning consumers about the dangers of clicking on malicious websites or falling for social engineering scams has become increasingly evident.

Recognizing this, the UK’s national cybersecurity center has revised its guidance and urges organizations to avoid scare tactics in security awareness training.

Instead, the focus should be combining technical security measures with a supportive environment encouraging employees to report potential phishing attempts or hazardous links without fearing negative consequences.

Rarely should an end user be solely held responsible for a security incident. Users already have numerous responsibilities that demand their attention in order to perform their tasks efficiently, making it unreasonable to expect them to be constantly vigilant about security. It is the responsibility of leadership to create an environment where employees can safeguard themselves against social engineering threats.

An example that highlights the importance of addressing MFA fatigue is the Uber breach that occurred earlier this year. In this incident, an 18-year-old hacker utilized an MFA fatigue attack. These attackers, also known as MFA bombers or MFA spammers, employ repetitive tactics by bombarding the victim’s email, phone, or registered devices with multiple requests for second-factor authentication.

The objective is to manipulate victims into using notifications to verify their identity, inadvertently confirming the attacker’s attempts to gain access to their device or account.
Technically, the individual who unintentionally authenticated the attacker’s queries can be seen as contributing to the incident. However, in the case of the Uber breach, neither Uber, the media, nor the cybersecurity sector blamed the employee for an honest mistake.

Instead, they expressed empathy and understanding toward the unfortunate circumstances that led to the catastrophic event.

'Blame culture' has no place in cybersecurity.

Everyone is defenceless.

Social engineering attacks are intricately designed to target individuals who may be less vigilant or unsuspecting. Regardless of the level of security awareness training an individual has received, they remain vulnerable. It is important to acknowledge that not all attacks are the same. For instance, a simple tweet can be enough to initiate an attack.

Due to Elon Musk’s decision to disband the security staff shortly after taking control, the social media platform may receive little sympathy if it experiences another hack in the near future.

The company witnessed significant layoffs, with more than half of its personnel being affected, including leaders in compliance, privacy, and information security who departed. Both U.S. and international government authorities have expressed apprehensions about the security of Twitter as a consumer product, putting Musk in the spotlight for any potential future security breaches.

Creating a culture of awareness

Blaming end users or holding security professionals and executives accountable is not the solution. They can only work with the tools and skills available to them, and expecting them to do more than that is unrealistic.

Therefore, instead of fostering a culture of blame, our focus should be on cultivating a culture of security awareness that goes beyond merely teaching employees how to identify phishing emails and other scams. This entails educating the entire organization about the risks and threats involved and holding everyone accountable rather than solely relying on the security team to bear all the responsibility.

It is important to note that the security team often advises the company to implement new strategies or initiatives. Still, they are often informed that there is no budget available at the time. Regrettably, gaining support from the company can be more challenging than anticipated, as businesses may fail to fully recognize the value of cybersecurity until after experiencing a breach.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center