.png)
In the wake of cyberattacks, the focus should be on identifying vulnerabilities and strengthening defenses. Instead, a troubling trend has emerged: cyber victim shaming. Organizations that suffer breaches are often blamed for inadequate security measures, while the real culprits—the attackers—escape scrutiny.
In the courts of the American justice system and public opinion, responsibility for breaches are laid at the feet of the organizations that were attacked. The impact is real, as millions of dollars are paid in settlements and substantial damage is done to the brand, share price, and reputation of these companies. Yet when the forensic analysis is complete, the source of the attack is often traced to a misconfiguration at the infrastructure layer, or a vulnerability in an open source component.
Despite talk of the shared responsibility model, the customer of a service provider or platform bears all of the risk and blame for a cyberattack. Meanwhile, vendor software is a growing attack vector, with Verizon reporting that the share of third-party breaches doubled in 2024. By passing on responsibility, major software providers not only escape liability, they also create a cycle where underlying systems remain insecure and out-of-compliance.
When a cyberattack occurs, affected companies frequently find themselves scrutinized for not having done enough to prevent breaches. Vendors, regulators, and even industry peers often point fingers at the victim rather than acknowledging systemic cybersecurity failures. This tactic serves two purposes: shifting responsibility away from service providers and discouraging further investigation into inherent security flaws in widely used software and systems.
This trend is observable in some of the cybersecurity breaches that resulted in the largest fines and settlements in history:
- Hotel chain Marriott paid $52 million in a 2024 settlement over breaches that exposed the data of more than 300 million guests. But there was no accountability for Microsoft, despite the fact that its Windows Server product figured heavily into the event.
- In the case of a Marriott breach in 2018, much of the analysis that was issued following the breach pointed to the use of outdated versions of Windows Server as one of the primary root causes of the breach. Yet this simple explanation fails to explore the role that Windows Server had in the breach. Why was Windows Server insecure, and what actions did Microsoft take to alert its customer to the vulnerability? These are reasonable questions that any investigator might ask.
- Upon closer examination, it is clear that out-of-the-box platforms have serious shortcomings. According to an analysis conducted through Sicura’s Security Control Management platform, Windows Server 2022 was only about 25% compliant with CIS Benchmarks, which are the consensus international standards for cybersecurity. When taking remediation actions available through the Sicura platform, CIS compliance increased to above 95%.
Before:
After:
This demonstrates not only that Windows Server falls short of meeting cybersecurity standards out of the box, but that the security issues are addressable. Microsoft issues patches after the fact to close some of the gaps, but this, too, puts the bulk of the pressure and responsibility for taking action onto the customer.
The infamous attack on credit reporting agency Equifax offers another case study. Equifax paid $1.38 billion to settle a 2017 breach that exfiltrated the data of millions of customers, but Apache Struts is not held accountable in a Congressional investigation for the vulnerability that served as the source of the breach. The open source provider issued a patch just days before the breach, but the blame was pointed at Equifax for failing to patch in a timely manner.
Capital One faced a massive class action lawsuit for a 2019 breach, but there were no consequences for AWS, even though a misconfiguration in its Web Application Firewall opened the door to attackers. AWS maintains the well-known shared responsibility model that divides duties for securing the cloud. But when there is a breach, the responsibility lies only with the customer, while AWS escapes scrutiny.
This is especially alarming when considering that security gaps abound, even when they are not exploited in attacks. In February 2025, Datadog discovered a vulnerability in AWS’ Amazon Machine Image (AMI) that had the potential to affect thousands of AWS users, which translates to thousands of customers. AMIs are fundamental building blocks of cloud infrastructure. They contain the software needed to spin up virtual servers, and are distributed widely by AWS as a key way to access the flexibility and scalability of the cloud. But when this “whoAMI” vulnerability was discovered, the responsibility to secure the AMI fell to the customer.
“This misconfiguration falls on the customer side of the shared responsibility model,” Datadog reported.
Given the size and scale of AWS, it is reasonable that customers could expect that AMIs are secure from the start, but vulnerabilities like this indicate that customers can’t take security as a given. A new approach is needed that allows organizations to spin up AMIs that are secure from the start.
Software provided by third-party vendors is an increasing attack vector. According to the Verizon 2025 Data Breach Investigations Report, 30% of breaches were linked to third-party involvement, which is more than double the 15% share reported the year before.
The metric is particularly focused on zero day vulnerabilities in software that are exploited by attackers. But once again, the third parties themselves have often escaped scrutiny.
As Verizon stated, “the core issue—the vulnerability even existing—links back to the software vendors.”
Tying software vendors to third-party breaches remains a nascent in data collection, but Verizon sketches out the sound logic behind it.
“If you were in any other industry and a fundamental flaw was introduced in your supply chain due to defective raw materials or machinery, your organization would at the very least be sending a sternly worded letter to the supplier,” Verizon stated.
Even more concerning is the role that major software vendors play in perpetuating this cycle, providing operating systems with subpar security out of the box while profiting from selling necessary security add-ons.
Take Microsoft, for example. Despite being the dominant operating system provider for businesses and governments, its flagship products, such as Windows, come with an estimated 40% cybersecurity compliance rate out of the box. The current state of affairs leaves organizations vulnerable unless they invest in additional security tools—many of which Microsoft conveniently sells under its own brand. Products like Microsoft Defender for Endpoint, Azure Security Center, and Enterprise Mobility + Security are essential for comprehensive protection, yet they are not included as standard features. Instead, businesses must pay extra for what should have been built-in security.
By providing partially secured products and selling security solutions separately, major vendors create a cycle where cybersecurity is not a foundational feature but an upsell opportunity. This approach is equivalent to selling cars without seatbelts and then offering them as a premium safety package. The result? Businesses are forced to spend additional resources to achieve a level of security that should have been the default from the start.
To break this cycle, regulatory bodies must impose stricter requirements on software vendors, ensuring that security is embedded into the fabric of every system, not an afterthought. Organizations should demand transparency regarding baseline security levels and hold vendors accountable for securing their platforms effectively.
Fundamentally, the responsibility for security must shift from the customer to the producer of technology. The Cybersecurity Infrastructure and Security Agency (CISA) laid out a framework to achieve this through Secure by Design. CISA called for security to be a core requirement of all products, while encouraging more proactive security practices. In particular, CISA called on technology companies to take ownership of security, share information, and lay out a roadmap to achieve it.
As former CISA Director Jen Easterly said in a 2023 speech at Carnegie Mellon University, “For the first half of the 20th century, conventional wisdom held that car accidents were solely the fault of bad drivers. This is very similar to the way we often blame a company today that has a security breach because they did not patch a known vulnerability. But, what about the manufacturer that produced the technology that required so many patches in the first place? We seem to be misplacing the responsibility for security and compounding it with a lack of accountability.”
Sicura’s analysis of Windows Server shows that vulnerabilities within the products distributed by major vendors are addressable. But, when security is solely the responsibility of customers, they face considerable hurdles to achieve compliance. Out-of-compliance, out-of-the-box products leave organizations a step behind from the first installation, making it difficult to keep pace with issued patches. They are further hampered by the manual and fragmented nature of security control management at many organizations.
By adopting Secure by Design principles, organizations will enter a new paradigm, where infrastructure is built to adhere to security standards, and continuously validated over time.
Cyber victim shaming serves only to obscure the real issue: systemic security flaws in widely used software and an industry model that profits from selling security as an afterthought. Instead of placing blame on those who suffer from cyberattacks, we should demand that tech giants take full responsibility for providing secure products from the start. Until then, businesses will continue to pay the price—not just in financial losses from breaches, but in the ongoing cycle of insecurity built into the very systems they rely on.
Sicura empowers organizations to move beyond blame and toward control. Learn how our Security Control Management platform can help you meet compliance benchmarks, secure your infrastructure, and hold your vendors accountable, starting today.
In the wake of cyberattacks, the focus should be on identifying vulnerabilities and strengthening defenses. Instead, a troubling trend has emerged: cyber victim shaming. Organizations that suffer breaches are often blamed for inadequate security measures, while the real culprits—the attackers—escape scrutiny.
In the courts of the American justice system and public opinion, responsibility for breaches are laid at the feet of the organizations that were attacked. The impact is real, as millions of dollars are paid in settlements and substantial damage is done to the brand, share price, and reputation of these companies. Yet when the forensic analysis is complete, the source of the attack is often traced to a misconfiguration at the infrastructure layer, or a vulnerability in an open source component.
Despite talk of the shared responsibility model, the customer of a service provider or platform bears all of the risk and blame for a cyberattack. Meanwhile, vendor software is a growing attack vector, with Verizon reporting that the share of third-party breaches doubled in 2024. By passing on responsibility, major software providers not only escape liability, they also create a cycle where underlying systems remain insecure and out-of-compliance.
When a cyberattack occurs, affected companies frequently find themselves scrutinized for not having done enough to prevent breaches. Vendors, regulators, and even industry peers often point fingers at the victim rather than acknowledging systemic cybersecurity failures. This tactic serves two purposes: shifting responsibility away from service providers and discouraging further investigation into inherent security flaws in widely used software and systems.
This trend is observable in some of the cybersecurity breaches that resulted in the largest fines and settlements in history:
- Hotel chain Marriott paid $52 million in a 2024 settlement over breaches that exposed the data of more than 300 million guests. But there was no accountability for Microsoft, despite the fact that its Windows Server product figured heavily into the event.
- In the case of a Marriott breach in 2018, much of the analysis that was issued following the breach pointed to the use of outdated versions of Windows Server as one of the primary root causes of the breach. Yet this simple explanation fails to explore the role that Windows Server had in the breach. Why was Windows Server insecure, and what actions did Microsoft take to alert its customer to the vulnerability? These are reasonable questions that any investigator might ask.
- Upon closer examination, it is clear that out-of-the-box platforms have serious shortcomings. According to an analysis conducted through Sicura’s Security Control Management platform, Windows Server 2022 was only about 25% compliant with CIS Benchmarks, which are the consensus international standards for cybersecurity. When taking remediation actions available through the Sicura platform, CIS compliance increased to above 95%.
Before:
After:
This demonstrates not only that Windows Server falls short of meeting cybersecurity standards out of the box, but that the security issues are addressable. Microsoft issues patches after the fact to close some of the gaps, but this, too, puts the bulk of the pressure and responsibility for taking action onto the customer.
The infamous attack on credit reporting agency Equifax offers another case study. Equifax paid $1.38 billion to settle a 2017 breach that exfiltrated the data of millions of customers, but Apache Struts is not held accountable in a Congressional investigation for the vulnerability that served as the source of the breach. The open source provider issued a patch just days before the breach, but the blame was pointed at Equifax for failing to patch in a timely manner.
Capital One faced a massive class action lawsuit for a 2019 breach, but there were no consequences for AWS, even though a misconfiguration in its Web Application Firewall opened the door to attackers. AWS maintains the well-known shared responsibility model that divides duties for securing the cloud. But when there is a breach, the responsibility lies only with the customer, while AWS escapes scrutiny.
This is especially alarming when considering that security gaps abound, even when they are not exploited in attacks. In February 2025, Datadog discovered a vulnerability in AWS’ Amazon Machine Image (AMI) that had the potential to affect thousands of AWS users, which translates to thousands of customers. AMIs are fundamental building blocks of cloud infrastructure. They contain the software needed to spin up virtual servers, and are distributed widely by AWS as a key way to access the flexibility and scalability of the cloud. But when this “whoAMI” vulnerability was discovered, the responsibility to secure the AMI fell to the customer.
“This misconfiguration falls on the customer side of the shared responsibility model,” Datadog reported.
Given the size and scale of AWS, it is reasonable that customers could expect that AMIs are secure from the start, but vulnerabilities like this indicate that customers can’t take security as a given. A new approach is needed that allows organizations to spin up AMIs that are secure from the start.
Software provided by third-party vendors is an increasing attack vector. According to the Verizon 2025 Data Breach Investigations Report, 30% of breaches were linked to third-party involvement, which is more than double the 15% share reported the year before.
The metric is particularly focused on zero day vulnerabilities in software that are exploited by attackers. But once again, the third parties themselves have often escaped scrutiny.
As Verizon stated, “the core issue—the vulnerability even existing—links back to the software vendors.”
Tying software vendors to third-party breaches remains a nascent in data collection, but Verizon sketches out the sound logic behind it.
“If you were in any other industry and a fundamental flaw was introduced in your supply chain due to defective raw materials or machinery, your organization would at the very least be sending a sternly worded letter to the supplier,” Verizon stated.
Even more concerning is the role that major software vendors play in perpetuating this cycle, providing operating systems with subpar security out of the box while profiting from selling necessary security add-ons.
Take Microsoft, for example. Despite being the dominant operating system provider for businesses and governments, its flagship products, such as Windows, come with an estimated 40% cybersecurity compliance rate out of the box. The current state of affairs leaves organizations vulnerable unless they invest in additional security tools—many of which Microsoft conveniently sells under its own brand. Products like Microsoft Defender for Endpoint, Azure Security Center, and Enterprise Mobility + Security are essential for comprehensive protection, yet they are not included as standard features. Instead, businesses must pay extra for what should have been built-in security.
By providing partially secured products and selling security solutions separately, major vendors create a cycle where cybersecurity is not a foundational feature but an upsell opportunity. This approach is equivalent to selling cars without seatbelts and then offering them as a premium safety package. The result? Businesses are forced to spend additional resources to achieve a level of security that should have been the default from the start.
To break this cycle, regulatory bodies must impose stricter requirements on software vendors, ensuring that security is embedded into the fabric of every system, not an afterthought. Organizations should demand transparency regarding baseline security levels and hold vendors accountable for securing their platforms effectively.
Fundamentally, the responsibility for security must shift from the customer to the producer of technology. The Cybersecurity Infrastructure and Security Agency (CISA) laid out a framework to achieve this through Secure by Design. CISA called for security to be a core requirement of all products, while encouraging more proactive security practices. In particular, CISA called on technology companies to take ownership of security, share information, and lay out a roadmap to achieve it.
As former CISA Director Jen Easterly said in a 2023 speech at Carnegie Mellon University, “For the first half of the 20th century, conventional wisdom held that car accidents were solely the fault of bad drivers. This is very similar to the way we often blame a company today that has a security breach because they did not patch a known vulnerability. But, what about the manufacturer that produced the technology that required so many patches in the first place? We seem to be misplacing the responsibility for security and compounding it with a lack of accountability.”
Sicura’s analysis of Windows Server shows that vulnerabilities within the products distributed by major vendors are addressable. But, when security is solely the responsibility of customers, they face considerable hurdles to achieve compliance. Out-of-compliance, out-of-the-box products leave organizations a step behind from the first installation, making it difficult to keep pace with issued patches. They are further hampered by the manual and fragmented nature of security control management at many organizations.
By adopting Secure by Design principles, organizations will enter a new paradigm, where infrastructure is built to adhere to security standards, and continuously validated over time.
Cyber victim shaming serves only to obscure the real issue: systemic security flaws in widely used software and an industry model that profits from selling security as an afterthought. Instead of placing blame on those who suffer from cyberattacks, we should demand that tech giants take full responsibility for providing secure products from the start. Until then, businesses will continue to pay the price—not just in financial losses from breaches, but in the ongoing cycle of insecurity built into the very systems they rely on.
Sicura empowers organizations to move beyond blame and toward control. Learn how our Security Control Management platform can help you meet compliance benchmarks, secure your infrastructure, and hold your vendors accountable, starting today.
Ready to maintain secure and compliant infrastructure focused on cost, automation, and consistency?