Ever since the Covid-19 pandemic first hit, millions of employees have been accessing their company’s data from remote locations, more often than not using unsecured internet access.
As a direct result, it has provided hackers with a golden opportunity to gain access to corporate accounts and data. This has been borne out by security researchers at Check Point who reported that as hackers continue to take advantage of mass remote working, ransomware attacks in the UK increased by 80% in the third quarter of 2020.
And it’s not just your remote workers that you should be concerned about. Failure to ensure that every corporate device is always updated, patched, protected, and connected securely to the internet, is basically an open invitation to hackers.
A single attack can cost an organisation a fortune, as the University of California at San Francisco recently discovered when it paid over $1 million to recover files locked down by a ransomware infection.
Money aside, the repercussions can potentially be fatal. Only last week, we published a report about an attack on the University Hospital of Düsseldorf where a 78-year-old woman may have died because of this criminal action.
In addition to launching a negligent homicide case against the hackers, the authorities have also said that the hospital itself could be placed under investigation. The very fact that hospital administrators could be questioned, raises some very serious issues about who is ultimately responsible for the security of IT systems.
Where does the buck stop?
The existing legal framework surrounding breaches of data isn’t particularly defined. Once you go beyond the requirement that an organisation immediately discloses any data breaches to those customers who have been affected, there are very few laws that govern who takes responsibility.
The data owners (the organisation that stores the user data) is responsible for any breaches and as a result can be fined accordingly. But under normal circumstances, the data holder (the organisation that stores the data) cannot be held responsible, aside from failing to notify affected parties.
The level of liability for data owners is dependent on the safeguards they take in order to protect the data. If they can be shown to have failed to control access to the network or not encrypting sensitive data, they will be more liable for damages suffered as a result of the breach.
But putting legalities to one side, who within an organisation should or rather could take the fall for a major breach?
IT and cybersecurity staff.
It’s all too easy to point the finger at hard-pressed IT staff.
The problem is that for a variety of reasons networks are becoming far less secure, while the cost of cybersecurity is growing by the day. Tighter budgets, fewer people in the IT department, and an increasing shortage of people with the necessary skills, all add up to create a perfect storm that could lead to a breach.
Across the country IT departments are crying out for money to shore up their creaking security protocols and implement policies such as encryption, only for their cries to fall on deaf ears. That is until a security breach occurs, and the organisation is left counting the enormous cost.
In such a situation, it’s hard if not impossible to lay the blame on anyone other than the powers who control the IT department’s budget.
CEOs, CIOs and CISOs.
C-level executives are the most likely candidates to fall on their swords in the event of a major breach such as in the cases of Target and Equifax. But it’s not a given that the CEO, CIO or CISO will resign and there are countless cases of organisations sticking with their senior appointees even after a costly error.
But there are some people who argue that the C-suite should be made responsible, as they wield the power that determines both the level of funding for security and the corporate culture that underpins it. Consequently, the C-suite and its management teams should bear responsibility for any failures in security.
Gartner has predicted that soon the C-suite will no longer be able to hide behind their corporate legal teams. This is a direct result in the growth of cyber-physical systems (CPSs), that will increasingly interact with the physical world, including humans. They even go as far to suggest that by 2024 three quarters of CEOs could be held responsible, especially where incidents lead to the destruction of property, environmental disasters, or cause harm to people.
Strong sentiments indeed, but if this were to come to pass who in their right mind would take on a position that could result in incarceration?
The organisation as a whole always takes the biggest fall in the event of a security breach, both financially and in the subsequent damage to its brand.
It also reflects the view of both the law as it stands and the vast majority of cybersecurity professionals, as trying to shift the blame onto one individual or a group doesn’t reflect the true collective nature of organisation.
It’s true that with greater power comes greater responsibilities, but it’s up to every organisation to embed security across its IT landscape. By proving that your organisation is doing everything possible to mitigate potential security breaches, that should surely be enough.
It’s time to end the blame game.
With the best will (and skills) in the world, no-one can guarantee 100% security.
You only have to look at the big-name businesses that have succumbed to hackers to realise that it’s almost impossible to protect your organisation from groups or individuals who are determined to find a way.
Having said that, should a hacker gain access to your organisations systems on your watch, no doubt it would result in the powers to be questioning your ability to carry out your job. Not only will your organisation’s reputation be damaged, it’s unlikely to do much for your own career prospects.
The question remains, are you being advised about all potential vulnerabilities such as with Citrix ADC (CVE-2019-19781) that may have resulted in the death of the 78-year-old woman?
If you aren’t, then we strongly suggest you start asking why.
Concerned about the security of your organisation’s IT systems?
If for any reason you are concerned about security breaches that could leave your organisation at the mercy of hackers, don’t hesitate to contact us.
For immediate help and advice call Peter Grayson on 0161 537 4980 or email firstname.lastname@example.org