There has been a lot of discussion in the technology world recently about the scheme where a team of security researchers MedSec Holdings disclosed details of alleged vulnerabilities in medical equipment they were testing, manufactured by St Jude Medical to investment researchers Muddy Waters in order to profit from the fallout when the vulnerabilities were made public. St Jude’s share price dropped by 4.4%.

One of the key issues here is around the ethics of a person or organisation that discovers a security vulnerability and what action they choose to take based on that knowledge. The moral viewpoint might be to contact the company in question, disclose the information and give them an opportunity to address the problem before going public. MedSec claim the ethics of outing an allegedly security-averse company won out.

It should be a fundamental part of your security culture to continuously asses your level of Cyber Risk, perform regular vulnerability assessments and penetration tests. It also makes sense to bring in a Trusted Advisor to help you identify gaps or otherwise-undetected problems.

People will wax lyrical about ethics, but it still comes down to the fact that if you’re not doing enough you might get burnt!