Just yesterday, I finished my part of a manuscript for a book on Cloud Security. It has already been submitted to my editor, and my co author is now writing his piece of it. This book is generally broken down into the following 5 chapters:
*A review of the major principles of the Cloud;
*A complete examination of the Amazon Web Services (AWS);
*A study of the major threats and risks that are posed to the Cloud;
*Risk and threat mitigation strategies;
*How the Cloud can be used for data backup and recovery.
As I was winding up my part on the third component, a thought came to my mind: Who is ultimately responsible for any data loss that occurs, especially if it is at a business/corporation, or a Cloud provider?
In one of the resources that I used, there was a lot of interesting back and forth, and the overall consensus was that it was ultimately the Cloud Provider that is responsible, because in the end, the customer is losing all of the control, and putting their faith to a trusted, third party.
In fact, stating how a customer’s data should be protected and restored should be one of the key clauses in any Service Level Agreement (SLA).
But what about in the instance of a business entity? This is where the line gets extremely fuzzy. For instance, is it the CEO to blame, the Network Administrator, the entire IT Staff, the negligent employee, or a combination of all three of them? Once again, the consensus is that it is the leader at the top, primarily the CEO, that should get the axe.
In fact, according to two independent surveys conducted by the Ponemon Institute and the Infosecurity Europe 2017, discovered the following:
*45% of business leaders expressed fears in losing their job;
*40% believed that the CEO should be the first on the firing line;
*21% believed that the CISO should be fired first;
*14% affirmed that the CIO should be fired.
In my view, it is interesting to note that in the above tabulations, that the majority felt that the CEO should be fired. But why? Isn’t it the CISO or the CIO that should be fired first, after all, they have direct custody of any information and data that the organization possesses.
And in yet another survey conducted which polled over 9,000 consumers across 11 countries, 70% of the respondents felt that it is the company themselves that should be held ultimately responsible for any Security breach (no breakdown given as to which job title should be axed first).
But to the corporate leaders out there that are reading this post, you have some relief here. According to the Verizon 2018 Data Breach Investigations Report, it was discovered that almost 20% of Security breaches were caused by sheer employee negligence or error. But don’t run away quite yet: Although you may not be directly responsible for the Security breach yourself, you are responsible for setting forth and establishing good levels of “Cyber Hygiene” for your employees and staff to follow. After all, everybody learns and follows when an examples of this are established from the very top of the line.
But keep in mind that in the end, there is not one individual or business/corporation that is immune to a Cyber attack. Yes, you can implement all of the latest and the greatest Security technologies in the world, and also yes, human vigilance is still the other half of the battle, but you can still be hit when you least expect it.
As I have written before, the Cyber attacker is now taking their own sweet time to profile and research their victims, especially where their particular weaknesses lie. If need be, the Cyber attacker could even wait for a year to thoroughly research their victim before the actual attack is launched (this is coming from a hypothetical point of view).
In other words, everybody and every entity on this planet have risks associated with them which can be penetrated. But, the key question to ask at this point is what is the acceptable level of risk? In other words, how much “crap” can you put up with until you start to suffer some real financial loss and/or damage? Well, that is up to you determine. We are all unique creatures in the end, and we all have our own breaking points.
But, how does one define risk? The problem here is that there is no clear cut way in actually defining it. There are a ton of mathematical models and definitions out there, so unfortunately, you may have to spend time determining what risk means to you. But you have three advantages here:
*You’ve got Google;
*The most widely used tool used here is what is known as the “Business Impact Analysis”, and there are plenty of templates that you download from the Internet;
*In the new book, I actually have defined what risk is, and even formulated a mathematical example of it. But, you will have to wait until it is out in print.
But this is not a hard process, and if need be, you can even hire a Cyber security specialist to help you out. But also keep in mind, that defining what risk is and what your level is acceptable to you and your business is ultimately the responsibility of C-Level Execs. Your employees cannot be held responsible for this.
Once all of this has been determined, then you can start to implement how you are going to fortify your lines of defense, especially when it comes to protecting the information and data that you are entrusted to handling. A strong hint here: Establishing a “Duty of Care” mission statement can be of strong help here. It can be specifically defined as follows:
“Duty of care refers to the actions or steps that a reasonable person would take in order to protect against a data breach . . . it defines the balance between what security measures are necessary to prevent foreseeable harm to others without posing an unreasonable burden upon the business itself . . . it is the responsibility to meet an obligated duty of care that will be the centerpiece of any sort of resulting litigation.”
In crafting this key piece of documentation, there are three variables that need to addressed:
*To begin with, what are the specific types of information and data that will be stored at the business of corporation?
*Once the above has determined, just how sensitive are these datasets, what will be the specific ramifications if a Security breach were to actually occur?
*How much would the organization be held accountable for, both from a legal and financial standpoints?
In determining the above, take into account the industry that your business is engaged in, and what your peers are doing to protect themselves. Also, try to ascertain if there is a list of “best practices” in your market segment as well. In other words, “what is reasonable is often defined as what an entity of similar size and sophistication would do to protect the same type of data.” (SOURCE: https://www.securitymagazine.com/articles/89287-who-in-an-organization-is-responsible-for-a-data-breach)
Here are some key takeaways:
*Always keep every process well documented. If your organization does indeed face a lawsuit, the more of this, the better protected you will be.
*Keeping detailed documentation will also help with filing a loss claim; as insurance companies will always ask for this.
*In defining what risk is, what the acceptable levels of it are, and you map out your “Duty of Care” needs to be an entirely transparent process. In fact, create an entire team for doing all of these tasks, with a representative of each department involved in this process (such as one from HR, Legal, Accounting, Finance, Sales/Marketing, IT, etc.).
*Make sure that you keep your employees apprised of this process as well, and get their input as well.
*The blame game after a Security breach has occurred should be the point of last concern. The first concern should be to restore normal business operations as quickly as possible, and also determining the impact of this to the customer, and letting them aware of what has happened, and what steps are being followed to restore their original levels of confidence they once had in you.
*When the blame game does actually start, let the forensics evidence point the way as to who is really to blame. In other words, there should not be a rush to judgement here.
*But in the end, the blame game should end as to where the information and data was actually stored. If it was stored “On Premises” (meaning at the physical location of the business or corporation) or “Off Premises” (meaning it was stored with a Cloud Provider). With regards to the former, it should be the organization that should be held responsible, but if it is the latter, then the third party should e held accountable. But in this aspect, if you choose to store your datasets in the Cloud, then you have the due diligence to conduct the appropriate background checks on the third party you about to entrust and determining what levels of Security they have in place, and if they meet and/or exceed your expectations.
Finally, here are the links to the surveys mentioned in this blog: