Who’s accountable for a Security Breach? Cybercrime and Healthcare

Guest Article: Nilesh Jain, Country Manager – India & SAARC, Trend Micro

First things first, who’s responsible for security breaches? The short answer will be, everyone. We will be discussing it at length in this article. Cyber security is a fundamental challenge in today’s world, as government agencies, corporations and individuals are increasingly becoming victims of cyber-attacks. It is a well-known fact that businesses are turning more and more often to the cloud and mobile applications as to stay ahead of the competitive curve. However, cloud storage, IoT and mobile applications increase security risks for all enterprises, no matter how big or small they are in terms of size and scope.

It should be considered that cyber-attacks are not only often but frequently creative and innovative. Though many large corporations around the world consistently boasts of “’security in their very DNA”, they often nose-dive to keep up pace with criminals who are always finding out newer ways to trespass your security cellar.

The point is not just about preventing breaches but also to learn from it so that it can be prevented in the future. That calls for figuring out who or what is to blame for a breach. With the number of breaches multiplying each day and hackers taking advantage of vulnerabilities within the system, and employees bypassing security protocols and walls, thereby exposing more and more vulnerabilities in the process, developers are struggling to create breach-immune networks and systems, which is at best, just a utopian idea.

Few ways a data breach can occur

  • Common human error where a user clicks on a phishing email attachment or download from an unauthorized website, thereby receiving a malware, adware, spyware or the dangerous ransomware
  • Data theft from an unlocked system
  • Stealing from unencrypted files, devices etc
  • Not training staff regarding simple security practices and processes
  • Lack of end to end data protection services and destruction services
  • Use of unsecured internet access services or wi-fi
  • Not protecting data stored, used and sent

Coming to healthcare, recent studies indicate that about 90% of organizations have suffered at least one data breach in the past two years. The main cause identified in all these cases was criminal intent; unlike with most credit card data breaches, these cases were not immediately identified. The cost of all sorts of breaches in the healthcare sector is around $6 billion per year or $2.1 million per healthcare organization annually; which is alarming.

The point arises, who is to blame when a data breach occurs or who should be accountable? Or, bear the responsibility is something that most businesses bother with, in today’s time. Data breaches can occur due to a myriad of reasons such as human errors, system failures or cyber criminals looking to make quick money. Most businesses inadvertently blames the end users, IT managers, CISOs or hackers and several surveys even pointed out that company’s own employees being the biggest perpetrators of data security breaches. While it is the common practice to blame the CEOs and top management, in reality everyone should be held accountable. Data security should be a collective effort, not a one-man show.

Humans are the weakest link in the security chain and hence, employees should be aware of IT security policies and practices. That is not to discount the fact that breaches also happen due to gaps in technology. Technology is evolving fast and with it hackers are also getting more and more sophisticated and smarter. In rational terms, IT managers are to blame as it is their responsibility to keep ahead of hackers but as mentioned, no system is immune from threat but impact can be minimized to an absolute zero, if the threat is diagnosed in time.

 The blame game

In order to figure out the source of breach, it is important to continuously screen and log every information that is exchanged over the data carrying network. Best-of-breed security controls and data protection systems such as encryption etc, adequate access control lists and technology solutions such as threat detection system within networks are a good way for IT managers to identify the breach.

Simply put, CISOs and IT departments in organizations are responsible for data access, compliance and security through prevention, detection and response. They are also responsible for defining business policies on the use of data and breach. But in reality, things are a bit complicated. Business owners and leadership who are heading departments which transact in secure data are also accountable. They are the ones who needs to guide the IT department in terms of which data should be protected on priority and which employees can be given the right to use a certain data set. They are the ones who needs to devise strategies in order to prevent breaches and make security awareness and training on cyber security, a regular part of office standards.

Protection against breaches is an ongoing process and businesses need to have efficient tools and processes, like for example, passwords and firewalls to keep such untoward activities at bay. Businesses also needs to put in place data usage, exchange and security policies. It is a no alien fact the magnitude of reputation and financial loss a data breach can result to.

While large organizations can afford hi-end security systems and solutions, SMBs often do not have that luxury, though history testifies the fact that they are as much prone to data breaches as their larger counterparts are.

Once a breach occurs, we tend to say things like, the business owner should have had a vision in place and could have planned better, developers should have programmed systems more securely, IT managers should have detected the threat faster and finger-pointing goes on. The naked truth is, there are no universal rule to understand how or why a breach happened and how to mitigate the resulting damages faster. Obviously, more capital is invested, more people are hired and more solutions are brought in and integrated thereby rendering the entire security ecosystem complicated.

Cloud can be the answer

Internet has redefined the way our systems run. Cloud technology can indeed solve the security puzzle and problems to a huge degree and that too, in a cost-effective manner. IT managers and business leadership are increasingly recognizing this fact and are starting to take a more holistic approach towards cyber security, rather than focusing on attack vectors in silos.

Security-as-a-platform, backed by technology, automation, machine learning and the cloud, is something that will rule the roost in the coming times. Not only such a system will facilitate breach alleviation but will also change the security blame game as everyone can be held responsible – as such a system needs development, production and management. Security as a service provides access to a single point of security insight which can be leveraged to draw up a course of action. Disparate security systems working in silos can no longer address the data breaches of today and its impacts.

Be the first to comment