[thirstymonkeys]

Definitely not the case. Huge numbers of SME clients evaluate tendered work on visual inspection alone. I've only had one or two clients ever (having worked in-house, contract, and for an agency) have had any knowledge of cyber security.

I think the hypothetical above is very reasonable. Lots of technical vendors will elect to shift blame. They should take responsibility for their issues, but they often don't.

[pgaddict]

Except that BKK is not a SME, but a company managing transportation in a city with nearly 2 million people. I've done work for similar organizations founded by municipalities (although smaller and not in Hungary), and pretty much all of them involved technically-skipped people in the process.

Perhaps BKK operates in a different way, but well - incompetence is not an excuse. It's a management failure.