7. Limitation of Liability YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK. RECOGNIZING SUCH, YOU UNDERSTAND AND AGREE THAT, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER VTECH NOR ITS SUPPLIERS, LICENSORS, PARENT, SUBSIDIARIES, AFFILIATES, DIRECTORS, OFFICERS, AGENTS, CO-BRANDERS, OTHER PARTNERS, OR EMPLOYEES WILL BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR OTHER DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER TANGIBLE OR INTANGIBLE LOSSES OR ANY OTHER DAMAGES OR LOSS BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY (EVEN IF VTECH HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM THE SITE OR SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM; THE USE OR THE INABILITY TO USE THE SITE; UNAUTHORIZED ACCESS TO OR ALTERATION OR DESTRUCTION OR DELETION OF YOUR TRANSMISSIONS OR DATA OR DEVICE; STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE SITE; ANY ACTIONS WE TAKE OR FAIL TO TAKE AS A RESULT OF COMMUNICATIONS YOU SEND TO US; HUMAN ERRORS; TECHNICAL MALFUNCTIONS; FAILURES, INCLUDING PUBLIC UTILITY OR TELEPHONE OR INTERNET OUTAGES; OMISSIONS, INTERRUPTIONS, LATENCY, DELETIONS OR DEFECTS OF ANY DEVICE OR NETWORK, PROVIDERS, OR SOFTWARE; ANY INJURY OR DAMAGE TO COMPUTER EQUIPMENT; INABILITY TO FULLY ACCESS THE SITE OR ANY OTHER SITE; THEFT, TAMPERING, DESTRUCTION, OR UNAUTHORIZED ACCESS TO, OR ALTERATION OF, ENTRIES, IMAGES OR OTHER CONTENT OF ANY KIND; TYPOGRAPHICAL, PRINTING OR OTHER ERRORS, OR ANY COMBINATION THEREOF; OR ANY OTHER MATTER RELATING TO THE SITE OR THE SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, VTECH'S LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID, IF ANY, BY YOU TO PURCHASE A VTECH DEVICE OR SOFTWARE. Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for incidental or consequential damages. Accordingly, some of the above limitations may not apply to you.
Security should be built-in, not bolt-on. Security should never be an afterthought. Secure by design, secure by default these and more have become mantra, at least in information security circles. It is clear that technology, infrastructure and services initially designed for ease-of-use, maximum compatibility or openness will appear to be constrained by the security team after the event.
A notion that has been rolling around in the sometimes preternaturally silent caverns of my cranium for a while now, and something I have brought up on the last couple of panels I have sat on, is “Are we insisting hard enough?” This is not a security issue; this is a business issue.
If “secure by design” is the ideal state, why is it that we continue to have a bolt-on Information Security function? Information Security should be embedded in the enterprise structure; a business secure by design.
Another truism is that security professionals “need to learn to speak the language of business” and I have heard many security professionals express that same desire. It is equally true that business needs to learn to speak the language of security.
Every successful breach relies on a vulnerability, but there is still a disproportionate focus on vulnerabilities in code or configuration, rather than in process or people. Frequently it is simply the way that we do something, rather than the tools that we use, that enables an attacker to gain a foothold in our enterprises. Yet we still focus on patch and vulnerability management instead of embedding security in business processes.
Some more forward-looking organisations may already be exploring the concept of “security champions” or “security ambassadors” as a component of their security awareness program, but we can and should go further. The Information Security team should be distributed and embedded throughout the organisation, empowered security experts within each business function who carry that responsibility. Our business needs to be secure by design.
Meet your new InfoSec Team
The Human Resources team, Sales, Marketing, Research & Development, Finance, whatever is relevant to your enterprise; each of these need a full-time security specialist with direct impact on departmental strategy and governance, procurement, third-party management, manufacturing, design, communications and more. Each of these reporting to the CIO/CISO with a dotted line to their own departmental heads. This is your new Information Security Team
The most obvious counter argument to this kind of structure is, of course, cost. The prospect of finding the cash to fund an extra head in every department is alarming at face value, but the more you consider how this approach translates to your own enterprise, the more attractive it becomes. It is not always an extra resource, often a redistributed one; the Information Security diaspora. This individual is a security expert, but also a full-time member of their respective team with a clear understanding of the goals, the roadmap, legislation and regulation, business requirements and drivers of that part of your business. They understand the use cases and respective urgency of technology requirements and are able to correlate the business need and the security “bigger picture”. Your embedded security resource learns new skills themselves from their departmental peers and also passes on their own security culture. Your distributed team simplifies the security audit, training, incident reporting and enhances customer experience, both internal and external.
No more marketing emails that ask your customers to “click a link to update their details”, no more ad-hoc appointment of third-party suppliers with inadequate security, no more public-facing web-servers vulnerable to SQL injections, no more shadow IT. No more.
Unparalleled visibility, integration and control, continuous education and improvement, and security embedded in every aspect of the business. Information Security is no longer the Department of No, it becomes the Department of How.
The more this architecture is adopted by leading businesses, the more secure we will make our inter-corporate communications and projects, as well. Security will find its counterpart in every partnership, you are building a secure physical API for the enterprise.
In the United Kingdom, as in many other economies around the world, smaller businesses are the lifeblood of national prosperity. In essence SMEs *are* the private sector, according to the Department for Business, Innovation & Skills, they employ more people (60% in the UK in 2014) and generate almost half the total turnover of the private sector (48% in the UK in 2014).
Given the importance of these businesses to the UK economy, Trend Micro decided to attempt to discover just how ready many of these businesses are for the potentially devastating consequences of compromise.
Small businesses represent an attractive target for online criminals for several reasons; of course many of them hold or process a large amount of personal information, identities, legal, financial and medical records just for example. They also have less convoluted financial and banking arrangements, making them easier to exploit with traditional banking malware whilst also being less likely to be compensated for any fraudulent transactions. Quite aside from the dangers of information or financial theft, small and medium businesses are increasingly in the sights of sophisticated criminals looking for ways into larger organisations. In an attack technique that has become known as “island hopping“, determined attackers seek out the smaller business partners of their eventual target in the hope that they will be less security savvy and less well-protected. Fazio Mechanical Services has become the unfortunate poster child of the island hopping attack ever since it was used as a stepping stone to the huge Target data breach in late 2013.
So what did we discover?
We interviewed 500 key decision makers and business owners in UK SMEs to compile the research. Amazingly, only half of them said they rely on internet security tools to protect their organisation from cyber attack. In addition, just 44% said they knew how to check if their laptops, mobiles or tablets had been infected with malware. Three-quarters (74%) admitted to not fully understanding the legal implications of a cyber attack, while 67% said the same was true of the financial implications of an attack.
Tellingly, just 18% said they thought their data was worth stealing.
It isn’t only the internet security industry that is sounding the alarm and offering assistance to SMEs. The UK government too has recognised the threat. Last month Ed Vaizey, the Digital Economy Minister outlined how the voucher scheme, operated by the government’s Technology Strategy Board, Innovate UK would be extended to cover cybersecurity. This scheme offers businesses the chance to apply for £5000 in funding for specialist advice to help better secure their businesses and digital assets. Unfortunately right now there isn’t enough in the pot to cover every application, so lucky recipients are selected in a random draw on a quarterly basis, still as they say, you’ve got to be in it to win it…
in the meantime the key to online security lies in the selection of a trusted security partner. As a small business, your core skills are not in cyber security or network or system administration. You are focussed on growing your business, on being succesful and on being the best in your field, and rightly so.
There are other small and medium businesses like yours who are striving to be the best in their field too and their field is security. A specialist partner, providing a managed security service, will be able to provide you with the assurance and peace of mind that you need to focus all your efforts on success and who knows… You may even get the funding!
The research was conducted on behalf of Trend Micro via Vital Statistics – sampled 500 UK business owners and decision makers in August 2015.
Small Business Advice Week runs from 31st August -6th September 2015. More information can be found here: www.smallbusinessadviceweek.co.uk