When Oracle announced that it was issuing major patches for Java and several other products, the news wasn't surprising given Java's reputation as a vulnerable platform. How dangerous were the vulnerabilities that were patched? Extremely.
According to Krebs on Security, several of the flaws scored a 10 – the highest score – on the CVSS vulnerability rating system, meaning malicious users would be able to execute arbitrary code on your client's devices.
The truth is that news like this is fairly common. Every week a major piece of software is patched after researchers discover a new flaw. Should IT consultants be concerned when they hear about new vulnerabilities? Yes, because software flaws expose you to a risk of lawsuit. Here's why.
IT Consultants and Professional Liability Lawsuits
IT consultants are responsible for making sure their client's software is up-to-date and running securely. If you're hired to oversee a client's network and you fail to remove old and vulnerable versions of Java, you could be named in a professional liability lawsuit (see Professional Liability Insurance for information about covering these lawsuits).
IT contractors can be sued over…
- Recommending software with a security flaw.
- Using security software (anti-malware programs, exfiltration, etc.) that doesn't stop a cyber attack.
- Forgetting to update or remove old software after a flaw is made public.
But your professional liability risks are bigger than just these. If a client's data is exposed, you could be sued even if you did nothing wrong. Data breaches are so expensive that a client's lawyers might advise them to file a lawsuit against you to recoup some of the cost.
Let's use the recent Java vulnerabilities as a way to understand how a lawsuit like this might happen.
Java Vulnerabilities in the BYOD Workplace
Java is particularly problematic because there are so many versions and casual users may have multiple versions of it on their machines that are obsolete (and vulnerable). Popular games like Minecraft often require Java, which means that casual users may install Java for their browsers and forget that it's even on their machines.
Security vulnerabilities in consumer-grade software can expose a BYOD workplace to a data breach. At a BYOD workplace, employees use personal devices on the company network, which means that any vulnerability in their software or hardware could lead to attacks on your client's network.
For example, if a client's Java-enabled browser opens the door to a malware attack on their network, you could be sued if the security software you installed wasn't able to stop the attack.
Educate Clients to Limit Your Professional Liability
There's an information gap between IT consultant and client – you understand why and how to keep software secure, but many of your clients simply don't. They might put off updates and patches simply because they don't realize how crucial they are. Clients might not even realize that they still have Java 6 or 7 installed on their browsers and potentially put their organization at risk of a data breach.
How do you bring your clients up to speed?
- Use TechInsurance's free Customer Education Handbook. We wrote this guide specifically for IT consultants to distribute to their clients to teach them basic data security.
- Point clients to our simple data security checklists if you're concerned about overwhelming them. These checklists show what they can do each day, month, and year to ensure their security is up-to-date and their network is protected.
For more on educating your clients, see "Your Most Powerful Anti-Data Breach Tool (Spoiler: It's Client Education)."