Category: IT & Telecommunications

According to research, the number of data breaches is increasing year over year. Worse yet, for businesses, data loss may not be the most considerable cost associated with an IT incident — it could result in a lawsuit from customers, investors, employees, or whoever’s data was exposed in the breach. Thus, many businesses wonder how they can reduce their liability.

Challenges in IT liability

Unfortunately, understanding liability when it comes to matters of IT, such as data breaches, is not cut and dry. Of course, the wrongdoer is the primary culprit for the incident, but the organization responsible for protecting the data may also be held liable. In many instances, the actions (or lack thereof) of an organization and its employees contribute to the severity of a breach, and as such, they are held at least partially liable.

Recent technological developments have made IT liability even more complex. While the rise in remote and hybrid work structures has introduced more access points and vulnerabilities to networks, artificial intelligence technology has simultaneously allowed cyber attackers to become more sophisticated in their attacks. This means that businesses must be particularly vigilant to ensure they are not held legally and financially accountable for the consequences of any cyber attacks.

In many cases, negligence is the key determinant of the extent to which a business will be held liable for a data breach. Rarely does a business act maliciously or intentionally to cause a data breach, with the notable exception of companies that sell customer data. More often than not, a data breach results from a business failing to fulfill its responsibility to protect its customers and their data.

What can businesses do to reduce their cybersecurity liability?

At a basic level, businesses can be expected to implement core cybersecurity best practices. For example, access control, malware prevention software, and data encryption are standard measures every business should be expected to take as a bare minimum. If a business has shown complete and total disregard for the safety of its customers’ data by failing to implement even the most basic of safeguards, it will almost certainly be found liable for the consequences of the data breach.

Businesses that work with third-party contractors must take particular care when vetting potential partners, as the mistakes of these contractors could negatively affect the business that contracted them. Failing to do one’s due diligence when hiring a contractor is a form of negligence in itself, meaning that if a third party does not implement the proper cybersecurity measures and causes a data breach, the service provider could be held responsible for the consequences.

There is one tool that businesses can use to protect themselves against potential liability from data security breaches: their contracts. Contracts should include clear provisions relating to cybersecurity because this ensures that both the responsibilities of the business and the rights of the customer are defined. Examples of data security provisions that should be outlined in service contracts include what standards of encryption will be used when storing data and how long data will be stored — including after the contract is terminated.

Contracts can also include waivers that free businesses of liability for data security breaches in certain circumstances. For example, a business can include a clause in a contract that defers liability to third-party contractors in the event of a security breach caused by a third party’s actions or negligence. Some contracts may even include clauses that release the business from any and all liability relating to data breaches.

Finally, businesses must ensure that they stay up-to-date with any applicable laws and regulations regarding data security. With new technologies emerging like artificial intelligence — not to mention the fact that several new lawmakers are entering into office — these regulations are constantly changing. However, failure to maintain compliance with regulations could cause a business to face not only fines and penalties from regulators but also liability in lawsuits for their failure to adhere to regulations.

A data breach can be a costly situation for a business, but there are protections that a business can take to minimize its liability. By taking steps like implementing basic cybersecurity measures, ensuring that contracts are carefully written to minimize liability, and staying in compliance with applicable regulations and laws, businesses can mitigate their financial and legal risk in the case of a cyber attack.

 

The post IT Liability Concerns appeared first on Cybersecurity Insiders.

According to research, the number of data breaches is increasing year over year. Worse yet, for businesses, data loss may not be the most considerable cost associated with an IT incident — it could result in a lawsuit from customers, investors, employees, or whatever party’s data was exposed in the breach. Thus, many businesses wonder how they can reduce their liability.

Challenges in IT liability

Unfortunately, understanding liability when it comes to matters of IT, such as data breaches, is not cut and dry. Of course, the wrongdoer is the primary culprit for the incident, but the organization responsible for protecting the data may also be held liable. In many instances, the actions (or lack thereof) of an organization and its employees contribute to the severity of a breach, and as such, they are held at least partially liable.

Recent technological developments have made IT liability even more complex. While the rise in remote and hybrid work structures has introduced more access points and vulnerabilities to networks, artificial intelligence technology has simultaneously allowed cyber attackers to become more sophisticated in their attacks. Businesses must include these considerations in their IT contracts, or they could risk significant consequences, such as lawsuits, fines, or worse.

How to reduce IT liability

One of the first steps a business can take to reduce its IT liability is to implement strong cybersecurity measures. In the case of a data breach that leads to legal consequences, an organization wants to show that it has done everything reasonable and within its power to protect the data. Some essential cybersecurity measures that organizations must implement include:

•Multi-factor authentication: Passwords alone are no longer enough to secure sensitive data. Multi-factor authentication (MFA), which requires an additional verification code via email or text or a third-party authentication app, allows organizations to verify users’ identities more confidently.

•Secure endpoints: Another essential cybersecurity measure businesses should implement to reduce their IT liability is securing endpoints — any devices used to access the organization’s networks and data. Basic antivirus and anti-malware software are inexpensive and essential investments, especially in an era when employees are increasingly relying on personal devices for work.

•Network security: Organizations should also ensure that cybersecurity measures are implemented on a network level. Defense measures like firewalls, intrusion detection systems, and intrusion prevention systems provide the minimum protection needed to keep data secure. Without these features, organizations could be found neglecting their data security.

However, even businesses that have the most stringent cybersecurity measures in place could fall victim to attacks that get past these measures of defense. Because of this, it is vital to have an incident response plan in place to address potential breaches and limit liability for incidents. If a business fails to appropriately address a breach that causes further consequences, it could be held liable for its negligent response in addition to its negligence in creating the conditions that caused the attack to occur. 

By having an IT incident response plan in place, businesses and their IT teams can act quickly to patch flaws. Once a vulnerability is identified and exposed by a wrongdoer, others can follow suit and take advantage of this weakness. Unfortunately, even for some of the most well-known security risks, many organizations neglect to patch their vulnerabilities, exposing them to massive cyberthreats. This can be the difference between a minor data breach that is easily recoverable and a massive breach that has catastrophic consequences for an organization.

Protecting against IT incidents

However, as important as it is to be prepared for a cybersecurity incident, it’s even better to take a proactive approach and prevent these incidents from occurring in the first place. It’s crucial to ensure that all software and hardware are kept up to date because updates often include essential patches that fix vulnerabilities exploited by wrongdoers. Failing to stay current with these changes could leave you susceptible to an attack that could have been easily prevented.

The other aspect of a proactive cybersecurity approach that can help reduce a business’s IT liability is educating employees. Ultimately, your employees are your first and best line of defense against cyberattacks. Employees should be trained to identify and report cyber threats. 

The actions of a well-trained employee can stop a cyberattack before a perpetrator ever gets a chance to access valuable data.

Indeed, the best way for an organization to minimize its IT liability is to prevent IT incidents from happening in the first place. By implementing cybersecurity measures, having a strong IT incident response plan, being proactive about keeping hardware and software up to date, and educating employees, businesses can reduce their risk of severe consequences and, in turn, their liability.

 

 

The post IT Liability Concerns appeared first on Cybersecurity Insiders.

By Jamal Elmellas, Chief Operating Officer, Focus-on-Security

Generative AI is expected to impact 60% of jobs in advanced economies like the UK according to the International Monetary Fund (IMF), half of which will gain from enhanced productivity while the other half will take over tasks previously performed by humans, lowering labour demands, wages and hiring. It’s also proving to be a catalyst for transformation with the 2023 Global Trends in AI report finding that 69% of organisations have at least one AI project underway. However, it’s also hugely disruptive and likely to cause changes to the business on a human level too.

Just about everybody with a background in IT has experimented with one of the language learning models (LLMs) such as ChatGPT, Google PaLM and Gemini, Meta’s LLaMA. However, only 28% use it in a work capacity today, finds the Generative AI Snapshot series from Salesforce, although a further 32% plan to so in the near future. There’s a great deal of excitement over the capabilities of the technology when it comes to utilising data to augment communication in IT, sales and marketing roles but how might the technology impact cybersecurity?

Where will AI help?

According to the AI Cyber 2024: Is the Cybersecurity Profession Ready? study by ISC2, AI is most likely to take over the analysis of user behaviour patterns (81%), the automation of repetitive tasks (75%), the monitoring of network traffic and malware (71%), the prediction of areas of weakness (62%) and to detect and block threats (62%). It’s therefore going to be applied to the most time consuming and mundane elements and while it may annex these particular tasks this promises to free up skilled personnel to use their human intuition on more demanding and rewarding activities. 

In fact, while 56% believe AI will make parts of their jobs obsolete, this is not seen as a negative, with 82% believing it will improve job efficiency. This, in turn, could help to alleviate the workforce gap which the same industry body estimates currently stands at almost 4m. That deficit in the workforce is placing cybersecurity professionals under tremendous strain, decreasing their ability to perform critical, careful risk assessment and remain agile. The ISC2 Cybersecurity Workforce Study 2023 found 50% complained of not having enough time to conduct proper risk assessments and carry out risk management, 45% claimed it lead to oversights in process and procedure, 38% misconfigured systems, and 38% tardy patching of critical systems, due to skills shortages.

However, while GenAI has the power to alleviate these stresses and strains, the Snapshot found 73% of the general workforce believe GenAI will also introduce new security risks inhouse, from threats to data integrity, to a lack of employee skills in this area, to the inability of GenAI to integrate with the existing tech stack, and the lack of AI data strategies.  This demonstrates there is a clear need for better governance and guard rails, with the ISC2 survey also unearthing concerns over the lack of regulation, its ethical application, privacy and the risk of data poisoning. 

Only just over a quarter (27%) of those in the ISC2 AI survey said their organisation had a formal policy in place to govern AI use and only 15% a policy to cover securing and deploying the technology. This potentially represents an interesting opportunity for the sector as security teams could take the lead in deployments. We’ve already seen a host of regulatory guidelines issued that could help assist in this respect, such as ISO/IEC 22989:2022, ISO/IEC 23053:2022, ISO/IEC 23984:2023, and ISO/IEC 42001:2023 as well as NIST’s AI Risk Management Framework. 

It’s also worth mentioning here that AI is likely to see an escalation in the sophistication, veracity and volume of attacks. Over half (54%) of those questioned for the ISC2 AI report said they’d seen an increase in cyber attacks over the past six months and 13% said they were able to detect these were AI-generated, indicating that worst fears are being realised. Given the continual arms race between attacker and defender, this lends some urgency to the proceedings. 

With regards to timescales, the ISC2 AI study found 88% believe AI will significantly impact their job in the next two years. Yet, as of today, 41% said they have minimal or no expertise in securing AI and machine learning technology which could spell a steep learning curve. 

To help move adoption forward, security teams therefore need to conduct a skills gap analysis and focus on upskilling in the area of AI and machine learning technologies. Once equipped with this understanding, cybersecurity professionals can provide the security piece in working parties charged with implementing the technologies, helping to caution the organisation against threats and update acceptable use policies on ethical use.

As to whether AI will augment or annex job roles, the IMF claims that it’s only in the most extreme cases that AI is expected to see jobs disappear. What is certain is that it will see the emergence of new ways of working, threats and opportunities, making it imperative that we get to grip with the technology today. Ignoring it, which 17% admitted to doing in the ISC2 AI report, banning it (12%) or not knowing what the organisation is doing (10%) is not an option. AI is here to stay, making this an adapt or die moment for the business.

 

The post Will AI augment or annex cybersecurity jobs? appeared first on Cybersecurity Insiders.