Who is ultimately responsible, though when data is stolen in this fashion? The analyst who ETL'd this to Snowflake without MFA enabled? Or maybe the employee who inadvertently installed a data sniffer that captured usernames and passwords? Really want to send your coworkers to jail for falling for a phishing attack?
If you want corporate-death-sentence level fines, are you willing to work in environment with exceedingly strict regulatory oversight? Will you work from an office where the computing infrastructure is strictly controlled? Where you can't bring personal devices to work? Where you have no privileges to alter your work station without a formal security review?
Why not advocate for more resources to capture and try the actual criminals? Or, as elsewhere in this thread, simply make this kind of data collection illegal?
> If you want corporate-death-sentence level fines, are you willing to work in environment with exceedingly strict regulatory oversight? Will you work from an office where the computing infrastructure is strictly controlled? Where you can't bring personal devices to work? Where you have no privileges to alter your work station without a formal security review?
If it means that privacy and safety is actually respected then yes. Working in an environment with "exceedingly strict" regulatory oversight would be a reassurance that observed violations will be dealt with in a timely fashion instead of put in the backlog and never addressed.
> Why not advocate for more resources to capture and try the actual criminals?
Yes, why not? While we're at it, let's try and capture the easily-spotted criminals who perform the most trivial of attacks to servers. Just open up your SSH server logs and start going after and preventing the fecktons of log spam that hide real attacks.
> Or, as elsewhere in this thread, simply make this kind of data collection illegal?
Making something illegal is great! Unfortunately it doesn't really do anything to help people after it's been stolen a second time (first time was by AT&T if it were illegal).
If you want corporate-death-sentence level fines, are you willing to work in environment with exceedingly strict regulatory oversight? Will you work from an office where the computing infrastructure is strictly controlled? Where you can't bring personal devices to work? Where you have no privileges to alter your work station without a formal security review?
Why not advocate for more resources to capture and try the actual criminals? Or, as elsewhere in this thread, simply make this kind of data collection illegal?