Ready for a lawsuit?
Did you wake up this morning thinking how much fun it would be to spend more time with your organization’s lawyer and enjoy some quality time explaining to the media about using an uninsured network assessment team?
Nobody does.
You trust your IT team. I get it. But are they proofreading their own work? Recent case law warns that having your IT services provider—whether in house or outsourced—attest their own results on their own letterhead puts your business at risk of lawsuits in the event of a data breach or cyberattack.
Yes. I said having your IT services provider attest to their own results could lead to lawsuits.
Don’t believe me? Look it up. This very case has gone through the court systems and the resulting liability has been directed toward the business and the company attesting to the findings.
Let me add one more layer for you: this isn’t just about proofreading their own work and missing things. While that is a huge part of the story, liability is another significant factor. So, it’s bad enough that your IT department is proofreading its own work, but there is an insurance issue at stake here as well.
If the company reporting your findings is not insured properly, you will take the brunt of the liability. Picture this:
One minute you think you’re doing the right thing. You’ve got your IT department doing assessments. The next minute you’re fielding questions from the media about your network not being secure and you’re trying to explain why the very people attesting to your organization’s security were not properly insured.
OUCH!
And as if this wasn’t enough to keep you up at night, now you’ve got another question: How can you even measure the effectiveness of your security and compliance program?
You may have a terrific IT team that you fully trust, but if you’re depending on the people who are delivering your security services, software or IT services, things will be missed.
Why?
Because when IT professionals proofread their own work, they can easily miss attack vectors that attackers can use to get around the fences and gates they are building. I’ve seen it happen far too many times. Some of the biggest attacks in cybersecurity history began with a small oversight by the IT department.
Think of it this way:
Imagine building a gated community and leaving a service road for the construction team that is open from 9 to 5 when the construction people are coming and going. At night it should be closed, but one very tired employee is put in charge of it and one day he heads home with the gates wide open. He’s a great employee normally, but the responsibility fell completely on his shoulders.
This has become such an issue in recent years that the PCI Standards Council (SSC)— the organization who is responsible for PCI compliance standards—mandated new standards in their auditing process to require specific insurance riders in assessing PCI compliance. The SSC put together a standard that anyone who performs security assessments for PCI must have special insurance.
So, what does this mean for you and your organization? What can you do?
- Use a third-party for your assessments
- Make sure you have a team that focuses solely on third-party assessments and auditing.
- Ask the team that performs assessments of your networks if they are properly insured to do it.
- Ask for a copy of their insurance certificate to make sure they are covered in the event something in your report is misreported.
And just to make sure there are no blind spots:
- Your network should not be assessed with the same tools that are used to check your network routinely.
If you are concerned that you are currently not receiving a third-party assessment of your network, consider reviewing the 5 simple signs you have weak cybersecurity.
Your organization’s security will increase and now you can sleep better at night.
