THIS BLOG IS BASED ON AN ARTICLE WRITTEN BY SIMON PAMPLIN, CTO, CERTES NETWORKS
In today’s digital landscape, data breaches have become a harsh reality for companies of all sizes. With cybercriminals growing more sophisticated by the day, it’s now a matter of when, not if, a data breach will occur. This makes it all the more critical for companies and their Managed Service Providers (MSPs) to have a clear understanding of their respective responsibilities when it comes to cybersecurity, particularly when it comes to bearing the financial brunt.
However, according to recent research, both companies and MSPs are alarmingly uncertain about their legal and financial obligations in the event of a data breach. Contract language is often ambiguous, leaving room for legal wrangling and exposing both parties to significant risks. In the end, when a data breach occurs and sensitive information is exposed, neither party comes out a winner.
As Simon Pamplin, CTO of Certes Networks, emphasizes, playing the blame game is not the solution. Instead, the top priority should be protecting the data itself to ensure that even if a cyber attacker manages to break through the defences, there’s nothing to see and nothing to gain. This means taking a proactive approach to securing sensitive data, including implementing strong encryption, access controls, and other advanced security measures that can mitigate the impact of a potential data breach.
Ultimately, the key to successful cybersecurity is clear communication and collaboration between companies and their MSPs. By working together to establish clear expectations and responsibilities, as well as implementing robust security measures, organizations can reduce the risk of a data breach and minimize the impact in the event that one does occur.
Financial burden
The financial burden of a data breach can be significant, not only in terms of the direct financial costs but also the potential reputational damage to a business. Unfortunately, recent research suggests that many companies are not fully aware of their legal and financial obligations when it comes to cybersecurity breaches.
In a survey conducted by Sapio Research on behalf of Certes Networks, it was found that a significant number of businesses are simply outsourcing their cybersecurity responsibilities to IT Service Providers (ITSPs) or Managed Services Providers (MSPs). In the event of a data breach, these companies expect their ITSP or MSP to pick up the majority of the financial cost.
According to the survey, 48% of companies employing third-party organizations to deliver security policies expect their ITSP to cover the costs in the event of a data breach. Astonishingly, 73% of ITSPs themselves consider themselves responsible for paying fines and damages and believe they should pay 51% of the costs.
This ambiguity and lack of clarity around financial responsibilities and legal obligations is a significant concern. Instead of playing the blame game and trying to shift the financial burden onto ITSPs and MSPs, companies should prioritize protecting their sensitive data to prevent breaches from occurring in the first place.
As Simon emphasizes, the focus should be on implementing robust security measures to ensure that even if an attacker does manage to breach the system, there is nothing to see and nothing to gain. This not only protects the company’s sensitive data but also helps to minimize the financial impact of a potential breach.
In summary, businesses cannot afford to outsource their cybersecurity responsibilities completely to ITSPs and MSPs. It is important for companies to understand their legal and financial obligations and take proactive steps to protect their sensitive data to minimize the financial impact of any potential data breaches.
The issue of responsibility for data breaches is a legal and regulatory minefield. Many companies are relying on IT Service Providers (ITSPs) or Managed Services Providers (MSPs) to take responsibility for the financial costs associated with data breaches. However, recent research has shown that there is a lack of clarity surrounding the obligations of both parties.
The problem is exacerbated by the fact that senior managers who are personally liable for compliance with information protection regulations may not be able to abdicate their responsibilities to third-party service providers. This raises the question of whether such arrangements can stand up to regulatory scrutiny.
In order to avoid legal and financial difficulties, it is important for companies to have a clear understanding of their responsibilities and to work closely with their ITSPs or MSPs to ensure that appropriate security measures are in place. Ultimately, the responsibility for protecting sensitive data lies with the company, and it is important to take an active role in safeguarding this information.
It is naïve to expect a network security infrastructure expert to understand the full implication of financial and reputation loss associated with a data breach. It is not in their remit. They are responsible for the performance of the infrastructure – not the value or assurance of corporate data.
Simon Pamplin, CTO, Certes Networks
Endemic Misperception
Reliance on an MSP or ITSP may seem like a good way to support the zero-trust approach to separating policy responsibility from system administration. However, any security posture needs to be defined from a business standpoint to reflect the sensitivity of specific data sets. By placing the onus on the MSP, the entire security posture is both defined and delivered by a network security team, which can create a clear lack of Separation of Duties.
This approach can cause contractual agreements to be meaningless if a regulator comes down hard on the lack of Separation of Duties. Furthermore, the legal standpoint is that the data owner is responsible and liable for any data breach. Therefore, any company with the misperception that the MSP or ITSP will foot the bill is likely to be in for a nasty surprise.
This perception indicates that far too many companies are not considering the true implications of data security at the right level. Data protection and compliance officers, as well as senior managers, may be personally liable for protecting sensitive company, customer, and partner data involved in these decisions. Therefore, it is essential to consider whether asking the network security team to appoint an MSP to provide an SD-WAN is an adequate approach to data protection and compliance.
Demanding safeguards
The responsibility for protecting sensitive data cannot be solely placed on the shoulders of a network security infrastructure expert. While they are responsible for the performance of the infrastructure, they are not responsible for the value or assurance of corporate data. It is important for companies to take ownership of their data and demand that their MSP or ITSP provides an additional level of data protection. Instead of relying solely on the network infrastructure, companies should look for an MSP that provides security measures specifically designed to protect their data. By doing so, business leaders can gain the assurance they need that their data is secure and compliant.
Rather than playing the blame game, the priority must be to protect the data to ensure that even when an attacker breaks through, there is nothing to see and nothing to gain.
Simon Pamplin, CTO, Certes Networks
Layer 4, policy-based encryption is an effective solution for protecting data in transit. By encrypting only the data payload while leaving the header data in the clear, network services and applications are minimally disrupted. Additionally, this approach provides clear separation between policy setting and systems management, allowing for encryption policies to be based on the sensitivity of corporate data. This not only benefits data officers but also network security teams, as they are able to maintain the performance of the infrastructure while ensuring that sensitive data remains protected. Overall, adopting Layer 4, policy-based encryption is a win-win solution for both parties involved.
Conclusion
The recent research conducted by Sapio Research for Certes Networks highlights a major concern for both companies and ITSPs/MSPs in terms of who bears the financial cost and legal responsibility in the event of a data breach. This is a significant issue as both parties stand to suffer long-term business consequences that could be devastating.
To avoid such risks, companies need to adopt a different approach and demand an additional layer of data protection. Adopting Layer 4, policy-based encryption ensures that the data payload is protected for its entire journey while only encrypting the payload data, leaving the header data in the clear. This approach minimizes disruption to network services or applications and enables a clear separation between policy setting and systems management.
Companies need to take ownership of their data and demand that the MSP or ITSP provides another level of data protection. By doing so, the company will no longer rely on a third party to safeguard its data, but instead, take ownership itself. This approach will not only eliminate the issue of blame or cost but also safeguard the data across whatever infrastructure the MSP or ITSP is providing.
Click here to read how Layer 4 crypto segmentation and data assurance will protect your data and ultimately, your business