Every year, Verizon performs an exhaustive study of the last 12 months of data breaches, looking for trends and patterns that will help data security professionals better protect their clients' data. This year, Verizon's 2014 Data Breach Investigation Report found that 94 percent of data breaches were caused by the following nine mistakes:
- Emails sent to the wrong person.
- Crimeware / malware.
- Misuse of privileged access to data by inside users.
- Laptop theft, device theft, or other physical theft and loss.
- Attacks on web apps.
- Distributed denial-of-service (DDoS) attacks.
- Cyber espionage.
- Point-of-sale intrusions (i.e., hacks on digital payments and cash registers).
- Payment card skimmers.
Preventing these threats is easier said than done. Some are simply caused by employee error. Others are the result of targeted malicious attacks from cyber criminals. But for IT consultants, preventing the onslaught of cyber risks is precisely your job.
To help you understand these threats better, let's look at some examples of how threats like these could lead to a lawsuit against a small IT company.
Data Security 101: How Breaches Lead to Lawsuits
IT professionals often have to carry more than their fair share of blame. If something goes wrong, everyone points the finger at the tech person. Unfortunately, this also holds true in lawsuits.
IT vendors face an unfair number of lawsuits because they can be sued for mistakes they make as well as issues – such as outages – that result from the third parties they use.
With that in mind, let's look at how some of the most common data security threats can lead to lawsuits.
- Laptop theft, device theft, or other physical theft and loss. Verizon's report shows that 46 percent of data breaches in the healthcare industry were caused by physical theft / loss of devices. Make sure you warn clients about the risk of lost or stolen devices (especially if you work with healthcare clients). We included data breaches caused by lost devices in our rundown of head-scratching breaches, "The Dumbest Ways to Lose Your Data."
- Crimeware / malware. Malware can be delivered a thousand different ways. An employee might receive an email that is disguised to look professional but really contains a virus. Links on social media posts might trick users into downloading dangerous software. However malware is delivered, IT consultants can be held responsible for not educating clients about these threats or failing to put safeguards in place to prevent them.
- Web app attacks. This type of attack is the most common source of data breaches. By using stolen login credentials or exploiting weaknesses in web platforms, cyber criminals are able to break into web apps. WordPress is infamous for its security weaknesses, and hackers have built botnet armies from all the WordPress sites they have been able to hack.
- Distributed denial-of-service (DDoS) attacks. In the article "Web Host Liabilities: How Hackers Can Shut Down Your Client's Website," we detailed how DDoS attacks derailed the Typepad web platform for five days. An outage like that could mean you're facing a lawsuit for a client's lost revenue, slow sales, and damaged reputation.
- Point-of-sale intrusions. Point-of-sale attacks were made famous by the Target data breach. Hackers can use a variety of tools to glean credit card data from store payment systems. One common way is to use RAM scrapers, software which scrapes POS systems for personal information (credit card numbers, names, PINs, etc.) and then dumps the information online for hackers to download.
What Can You Do about Common Data Security Liabilities?
Even if you educate clients, install secure software, and stay current with data security trends, you'll still be exposed to data security liabilities. Hacks can and do happen to companies that spend millions of dollars on top-of-the-line data security. It stands to reason that malware could just as easily take down one of your clients.
Furthermore, the interconnected nature of IT exposes you to risk. An attack on a web host or web app could lead to an outage on your client's webpage – and a lawsuit filed against you. So what do you do?