Who Foots the Bill For A Data Breach? 

Uploaded on 2023-01-25 in NEWS-Cybersecurity News, FREE TO VIEW

Data breach is almost inevitable - which means it is vital that companies and their Managed Services Providers (MSPs) understand exactly who is responsible and who bears the financial brunt.

But recent research reveals that both companies and MSPs are disturbingly unclear about their legal and financial obligations. Contracts are ambiguous and the risks of legal wrangling severe. The truth is that when a breach occurs and data is exposed, neither party wins.

Rather than playing the blame game, the priority must be to protect the data to ensure that even when an attacker breaks through, there is nothing to see and nothing to gain.

Financial Burden

Cyber security has become a board level issue in recent years – not least since the introduction of ever more punitive fines and personal responsibility for the protection of sensitive data. Yet recent research undertaken by Sapio Research on behalf of Certes Networks confirms that far too many businesses are simply handing over responsibility to an IT Service Provider (ITSP) or Managed Services Provider (MSP) - and expecting the provider to pick up the financial cost should a data breach occur. 

Companies employing third party organisations to deliver security policies expect ITSPs to cover 48% of the costs in the event of a data breach. Astonishingly, 73% of ITSPs also consider themselves responsible for paying fines and damages and believe they should pay 51% of the costs.

Whether these expectations can be met as and when a breach occurs remains a legal minefield. More critically, for senior managers personally liable for security and information protection compliance, does this abdication of responsibility to a third party stand up to regulatory scrutiny? 

Endemic Misperception

How does a reliance on an MSP or ITSP support the zero-trust approach to separating policy responsibility from system administration? Any security posture needs to be defined from a business standpoint to reflect the sensitivity of specific data sets. But if the onus is placed on the MSP, the entire security posture is both defined and delivered by a network security team. Contractual agreements will be meaningless if a regulator comes down hard on this clear lack of Separation of Duties.

Furthermore, the legal standpoint is that the data owner is responsible and liable for any data breach - so any company with the misperception that the MSP or ITSP will foot the bill is likely to be in for a very nasty surprise.

This perception indicates that far too many companies are not considering the true implications of data security at the right level. 

Are the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data involved in these decisions? If so, do they really believe that asking the network security team to appoint an MSP to provide an SD WAN is really an adequate approach to data protection and compliance? 

Demanding Safeguards

It is naïve to expect a network security infrastructure expert to understand the full implication of financial and reputation loss associated with a data breach. It is not in their remit. They are responsible for the performance of the infrastructure – not the value or assurance of corporate data.

Companies need to take ownership of their data - and that means demanding the MSP or ITSP provides another level of data protection. An MSP that wraps security around the data, rather than relying on the network infrastructure, can provide business leaders with the essential assurance that data is protected and compliant. 

Adopting Layer 4, policy-based encryption ensures the data payload is protected for its entire journey - and because only the payload data is encrypted while header data remains in the clear, means minimal disruption to network services or applications. With encryption policies based on the sensitivity of corporate data, the business can achieve a clear separation between policy setting and systems management.  A win for both data officers and network security teams.

Conclusion

This research raises a very concerning issue for both companies and ITSPs/ MSPs. Whoever ends up footing the bill – and the chances are that a lengthy court case could ensue - no one wins. Any data breach will incur not only immediate financial costs but long-term business consequences that could be devastating for both parties.

So why risk it? If a company takes a different approach and demands that additional data protection layer, there is no longer any issue of blame or cost.

The company is no longer relying on a third party to safeguard its data, but instead taking ownership itself. By encrypting data, in a way that doesn’t affect business operations, it is safeguarded across whatever infrastructure the MSP or ITSP is providing.

Simon Pamplin is CTO at Certes Networks

Cyber Security - How Confident (Complacent?) Are You?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Five Application Security Predictions For 2023
Coming Your Way - The Top Cyber Crimes In 2023 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Datiphy

Datiphy

Datiphy's data-centric security platform uses behavioral analytics, and data-centric auditing and protection capabilities to mitigate risk.

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

RKH Specialty

RKH Specialty

RKH Specialty, part of the Hyperion Insurance Group, is a provider of specialty insurance services including Cyber Risk cover.

Lawley Insurance

Lawley Insurance

Lawley is a full-service, independent insurance agency. Specialty insurance products include Cyber Security.

Cybraics

Cybraics

Cybraics nLighten platform implements a unique and sophisticated artificial intelligence engine that rapidly learns your environment and alerts security teams to threats and vulnerabilities.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

Gulf Computer Services Co (GCSC)

Gulf Computer Services Co (GCSC)

Gulf Computer Services is a major player in the field of networking & Communication solutions for emerging industries such as Internet Services and Information Technology in Saudi Arabia.

Trustonic

Trustonic

Trustonic is a leader in the device security market. Our mission is to protect apps, secure devices & enable trust.

Practical Assurance

Practical Assurance

Practical Assurance helps companies navigate the rough terrain of information security compliance.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

Cybervergent

Cybervergent

Cybervergent (formerly Infoprive) are a leading cybersecurity technology company in Africa. We provide cybersecurity guidance and solutions that help protect your business.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.

Open Cybersecurity Alliance (OCA)

Open Cybersecurity Alliance (OCA)

OCA is building an open ecosystems where cybersecurity products interoperate without the need for customized integrations. We're making standards-based interoperable cybersecurity a reality.