Taking Responsibility For Your Own Security
In this election season we hear a lot of people talking about taking personal responsibility for their lives and fortunes. Taking responsibility for your own information security is something else that needs to be driven home. Should someone else be responsible if you are the victim of cybercrime or cyber fraud?
That is the issue in the recent case of PATCO Construction v Peoples United Bank. I wrote about this case on Network World and discussed the implications with Jody Brazil, President of Firemon. You can listen in to our conversation below.
Very quickly, the case involves PATCO Construction who through phishing or some other means somehow lost control of their on line banking log in information. Criminals logged into PATCO’s online banking account at People’s United and instituted a series of transfers totaling more than 500k. In a very short time the initial transfers were followed by subsequent transfers to other banks and by the time Peoples United put a stop to it, about half of the money was already gone, never to be recovered.
PATCO wanted Peoples United to put the money back in their account and Peoples United said it was not their fault that PATCO let criminals get hold of their valid on line banking credentials. PATCO said People’s should have been using 2 factor authentication and since People’s own internal systems flagged the transactions as suspect, they should not have approved them. The case went up to a US Appeals Court who sent it back down but indicated that the bank may be liable here. The Appeals court recommended the parties try to settle the matter in mediation.
As Jody and I discuss in our conversation, what message does this send to other PATCO type companies. If someone else like the bank is going to be liable anyway, why bother with all of that security? Without bearing responsibility, how can we expect anyone to actually take security seriously. What about the bank? When are they supposed to know if a transaction request is valid or not? If they have to build the cost of covering the risk of fraud into the model, it is only going to make it harder and more expensive for everyone to conduct business. One of the first rules in security is that if you place to big a burden on the business for security, you are not going to get buy in from the organization.
This is especially true of the mid-market. The dollars and resources for security are fixed. Placing a higher burden on mid-market organizations may push them over the brink. But it is their digital and other assets at risk. It is not fair to expect someone else to pick up the loss. In the case of consumers, it is clear that the bank would be responsible for all loses except a nominal 50 dollar amount. Should the same rule apply to commercial organizations?
The bigger question though is one of responsibility. Security is hard. No matter what we do, you can still suffer a security break or other incident. Who should bear the responsibility? Without bearing responsibility should we expect organizations to take the necessary security precautions? Taking the metaphor of the individual, if not taking personal responsibility makes you dependent on the government or other entities, doesn’t the same hold true for taking responsibility for your security as an organization?
Ilena Armstrong of SC Magazine recently touched on a similar topic in the case of Wyndham Hotels and Resorts asking that an FTC proceeding against them be dismissed because they are being singled out. The fact that Wyndham did not follow industry norms which resulted in over 10 million dollar in losses. Wyndham needs to own up for being responsible for their own security.
Perhaps having breach insurance is the prudent, responsible business way to handle this? Does your organization even have breach insurance? Breach insurance is one way of managing your risk, but all it can do is replace money lost. Some breaches are hard to put a price tag on.
These are all big questions but important questions. I believe that ultimately taking responsibility for your own security will make you more secure and leave us all better off. Listen to my conversation with Jody and let me know what you think.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.