Symantec's Internet Security Threat Report, a post-mortem analysis of the previous year's cyber attacks, comes to a startling conclusion: 97 percent of zero-day attacks were Java based.
A zero-day attack is a cyber attack that exploits a vulnerability IT security consultants don't know about. It's a "new" threat. And as it turns out, the three most common zero-day attacks were all Java based:
- Oracle Java SE (CVE-2013-1493).
- Oracle Java Runtime Environment (CVE-2013-2423).
- Oracle Java Runtime Environment (CVE-2013-0422).
For these top three attacks, it took 19 days for developers to patch the exploit. When it comes to cyber security, 19 days is an eternity. That's 19 days were you will have to disable Java or risk cyber criminals using the vulnerability to install malware on your networks.
The purpose of this article isn't to bully Java (plenty of security professionals have already done that), but rather to prepare you in case your clients are hacked through one of these vulnerabilities.
Worse than Weak Coffee: Every IT Consultant's Nightmare Is Weak Java
Let's say your clients are targeted in a cyber attack that exploits a zero-day vulnerability in their Java. Via malware, hackers get access to their data and download customer information, financial records, and other private info.
What most people don't understand about data breaches is that they're messy. The attack is quick and surgical, but the cleanup is a chaotic process. Here's what IT consultants might have to deal with after a data breach:
- Delays in detection. There's often a delay from the time the attack occurs and when the business notices. Malware ran on Target's computers for weeks before anyone spotted it.
- Time to fix. In the case of the three Java attacks above, it can take weeks to have the software patched. The grocery chain Schnucks was hacked last year and it took 13 days for two different teams of IT security analysts to find the source of the leak and remove the malware. (For more, see “Schnucks Settlement Breaks Down Why Data Breaches Are so Expensive.”)
- Notification. Clients have to notify consumers, coordinate with law enforcement agents, and report the breach to state authorities. They'll have to set up a call center, email account, or other ways to deal with customer complaints and questions that arise during the next year.
- Withheld transactions. If lost data is from credit card transactions, a client might face scrutiny from its transaction processor. Some processors withhold a percentage of a client's transactions in case major banks need money to cover the fraudulent transactions that occur because of stolen data.
- Lawsuits. Customers whose data is stolen can sue your client for the data breach, identity theft, and related losses. At first, a few customers might sue the client, but then the various cases may combine into a class-action lawsuit.
Most small-business owners don't realize how messy and expensive a data breach can be. And then there's the problem of Java. While many small-business owners assume that cyber criminals won't attack them, the truth is much more complicated.
Security weaknesses in Java and other mainstream IT products mean that any business can be hacked. Cyber criminals troll the Internet looking for websites and networks with security flaws. When a zero-day flaw is discovered, they'll hit whomever they can.
Why Contractors Need IT Insurance
Because data breaches are so expensive and time consuming, clients can sue their IT contractor to make up for the damages to their reputation, sales they've lost, and the direct costs of repairing and responding to the breach.
You might be wondering, Can I be sued for a Java vulnerability? Yes, you can. It's seems unfair that you can be sued for a problem with Oracle's product, but that's what happens. IT consultants are liable for the security of the software they recommend and the networks they manage.
If you're sued, a client's lawyers could easily make the case that Java is well known for its security weaknesses. IT consultants who use it (or programs, mobile phones, and other platforms that have it) are accepting that risk.
How do you protect yourself from data breach lawsuits and Java liabilities? Technology Errors and Omissions Insurance (also called Professional Liability Insurance) pays for IT consulting lawsuits. E&O Insurance can cover data breaches, software flaws, and other problems with your work and the software you use.
If you need E&O to sign a client contract, submit our online insurance application.