During a recent interview discussing the Titan submarine catastrophe, James Cameron, the director of the movie Titanic and an explorer with 33 successful dives to the Titanic wreckage site, highlighted the uncanny resemblance between this tragedy and the 1912 Titanic disaster. In both instances, the captains received repeated warnings about potential ice hazards, yet they proceeded at full speed into ice fields on moonless nights, resulting in the tragic deaths of over 1,500 innocent individuals.
Similar warnings were given to Stockton Rush, the captain of the sub Titan and CEO of OceanGate. He was cautioned about the safety of his vessel, including its lack of certification for integrity, absence of a tracking device (comparable to an airplane black box), experimental approach to deep dives (despite the practice being well-established), and absence of a backup sub. Despite these concerns, Rush persisted in moving forward at full speed, endangering the lives of those on board. It can be argued that this constitutes an egregious case of willful negligence.
Sadly, such willful negligence is widespread when it comes to IT security and compliance in small businesses. In some cases, it leads to abrupt and catastrophic consequences, as seen with the Titan, where a company is decimated by a ransomware attack. Operations are shut down, transactions become impossible, and both employees and clients suffer harm, while the company's reputation is tarnished.
In other situations, the risks stemming from willful negligence may not have materialized yet, but they persist, waiting to strike. There are three forms of willful negligence concerning IT security, regulatory compliance, and data privacy and protection.
The first form is willful ignorance. Some business owners, particularly those who are young and inexperienced, may lack awareness of the risks they expose themselves and their clients to by neglecting proper protection measures. Often, they receive misguided advice from IT firms that possess technical expertise but lack the knowledge to implement robust security measures. While initial mistakes may be understandable, they will eventually face the consequences of a cyber-attack and learn the hard way.
The second form of willful negligence is willfully stupid. Individuals in this category cannot claim ignorance as their defense, as they are fully aware of the importance of protecting their business and clients' data from cyber-attacks. They have heard the stories, are familiar with the laws, and may have been warned by their IT personnel or companies. However, they foolishly believe that such incidents won't happen to them or wrongly assume they are safe because they use cloud applications that promise compliance (which may be accurate for them, but not necessarily for others). They trust without verifying whether their IT personnel or company is genuinely fulfilling their responsibilities, often neglect cyber liability insurance, and willingly take unnecessary risks due to cost or indifference.
The third form of willful negligence, in my opinion, represents the true essence of the term and is the most morally reprehensible and unforgivable. This is determined negligence, where individuals stubbornly persist in operating without proper security protocols, disaster recovery plans, insurance coverage, or assessing and inspecting their environment. They refuse to acknowledge all conflicting facts, history, and evidence. Despite being fully aware of their irresponsible actions, they simply do not care.
In the aftermath of the sub tragedy, numerous experts came forward to highlight the risky behaviors permitted by Rush. The hull had not undergone cyclical pressure testing or thermal expansion and contraction testing. The hatch could only be opened from the outside, trapping occupants in the event of an emergency, even a small fire could have catastrophic consequences. There was no atmospheric system to monitor interior gases like oxygen, carbon dioxide, and carbon monoxide. An emergency air breathing system was absent as well. Furthermore, the viewing window was only certified for depths of 4,000 feet, significantly less than the Titanic wreck's depth of 12,500 feet. However, the most egregious aspect was the CEO's egotistical belief that he knew better than everyone else.
One can't help but wonder if Rush included these details in the brochure and explained this philosophy to the individuals aboard the sub who tragically lost their lives that day.
Making mistakes is a part of being human. Everyone experiences moments in their lives when they place trust in someone they shouldn't have. We all have blind spots, and we are all ignorant and misinformed about certain things. The crucial question is whether one chooses to remain willfully ignorant or foolishly stubborn to the point where they not only harm themselves but also others.
If one chooses this path, it is only a matter of time before they face their own catastrophic event, their own personal Titanic-scale disaster. Regrettably, if you are the CEO of a company that handles financial data, credit cards, medical records, tax returns, Social Security numbers, birthdays, or even the contact information of your clients or employees, your willful negligence in protecting against cyber threats will undoubtedly cause harm to others.
