Go ahead then, blame the victim
Quite a few words have been spent on media hyperbole regarding Operation Shady RAT and other recent high-profile attacks. This piece is particularly smart.
But then there are quite a few words spent on blaming the victim, like this from the same article…
There are genuine, sophisticated, brilliant black-hat hackers out there. Some of them work in groups. Some even work for nation-states and militaries, including, very likely, the people who hacked Google eighteen months ago. But most hacks are made possible because the victims allowed them; and we shouldn’t forget that security companies have every incentive to make the dangers seem as deadly and sophisticated as possible.
Certainly security companies want us all to sing their songs, but bad code and poor controls shouldn’t be all on the end user or sysadmin to handle, should it? It’s simply too easy to say, “If you’d only loaded that patch in time, this never would have happened." How about not writing junk? Where are the disincentives for bad code? Regulation, anyone?
I think the point is taken that everyone should take responsibility for some level of security. But we need to remember that security is a process, not a product or perfect state, and so there will be times – no matter how good you think your defenses are – when cracks will appear and you’ll have trouble. Who you blame seems to track with how big a problem it really ends up becoming.