Who’s accountable for a security breach? - Tata Tele Business Services

By Nilesh Jain, Country Manager - India &SAARC, Trend Micro

Cyber security is a fundamental challenge in today's world, as government agencies, corporations and individuals are increasingly becoming victims of cyber-attacks. It is a well-known fact that businesses are turning more and more often to the cloud and mobile applications as to stay ahead of the competitive curve. However, cloud storage, IoT and mobile applications increase security risks for all enterprises, no matter how big or small they are in terms of size and scope.

But, first things first, who’s responsible for security breaches? My short answer is, everyone.

It should be considered that cyber-attacks are not only often but frequently creative and innovative. Though many large corporations around the world consistently boasts of “’security in their very DNA”, they often nose-dive to keep up pace with criminals who are always finding out newer ways to trespass your security cellar.

The point is not just preventing breaches but also to learn from it and prevent its occurrence in the future. With the number of breaches multiplying each day and hackers taking advantage of vulnerabilities within the system, and employees bypassing security protocols and walls, thereby exposing more and more vulnerabilities in the process, developers are struggling to create breach-immune networks and systems, which is at best, just a utopian idea.

Few ways a data breach can occur

• Common human error where a user clicks on a phishing email attachment or download from an unauthorized website, thereby receiving a malware, adware, spyware or the dangerous ransomware
• Data theft from an unlocked system
• Stealing from unencrypted files, devices etc
• Not training staff regarding simple security practices and processes
• Lack of end to end data protection services and destruction services
• Use of unsecured internet access services or wi-fi
• Not protecting data stored, used and sent

A recent study in the healthcare segment found that about 90% of organizations have suffered at least one data breach in the past two years. The main cause identified in all these cases was criminal intent; unlike with most credit card data breaches, these cases were not immediately identified. The cost of all sorts of breaches in the healthcare sector is around $6 billion per year or $2.1 million per healthcare organization annually; which is alarming.

The point arises, who is to blame when a data breach occurs or who should be accountable? Who should bear the responsibility is something that most businesses bother with, in today’s time. As cited above, data breaches can occur due to a myriad of reasons. Most businesses inadvertently blames the end users, IT managers, CISOs or hackers and several surveys even pointed out that company’s own employees being the biggest perpetrators of data security breaches. While it is the common practice to blame the CEOs and top management, in reality everyone should be held accountable. Data security should be a collective effort, not a one-man show.

Humans are the weakest link in the security chain and hence, employees should be aware of IT security policies and practices. That is not to discount the fact that breaches also happen due to gaps in technology. In rational terms, IT managers are to blame as it is their responsibility to keep ahead of hackers but as mentioned, no system is immune from threat but the impact can be minimized to an absolute zero, if the threat is diagnosed in time.

Getting the act right

In order to figure out the source of breach, it is important to continuously screen and log every piece of information that is exchanged over the data carrying network. Best-of-breed security controls and data protection systems such as encryption etc, adequate access control lists and technology solutions such as threat detection system within networks are a good way for IT managers to identify the breach.

Simply put, CISOs and IT departments in organizations are responsible for data access, compliance and security through prevention, detection and response. They are also responsible for defining business policies on the use of data and breach. But in reality, things are a bit complicated. Business owners and leadership who are heading departments which transact in secure data are also accountable. They are the ones who need to guide the IT department in terms of which data should be protected on priority and which employees can be given the right to use a certain data set. There is a need to devise strategies in order to prevent breaches and make security awareness and training on cyber security, a regular part of office standards.

While large organizations can afford hi-end security systems and solutions, SMBs often do not have that luxury, though history testifies the fact that they are as much prone to data breaches as their larger counterparts are.

Can cloud be the answer?

Internet has redefined the way our systems run. Cloud technology can indeed solve the security puzzle and problems to a huge degree and that too, in a cost-effective manner. IT managers and business leadership are increasingly recognizing this fact and are starting to take a more holistic approach towards cyber security, rather than focusing on attack vectors in silos.

Security-as-a-platform, backed by technology, automation, machine learning and the cloud, is something that will rule the roost in the coming times. Not only such a system will facilitate breach alleviation but will also change the security blame game as everyone can be held responsible – as such a system needs development, production and management. Security as a service provides access to a single point of security insight which can be leveraged to draw up a course of action. Disparate security systems working in silos can no longer address the data breaches of today and its impacts.