7. Limitation of Liability YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK. RECOGNIZING SUCH, YOU UNDERSTAND AND AGREE THAT, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER VTECH NOR ITS SUPPLIERS, LICENSORS, PARENT, SUBSIDIARIES, AFFILIATES, DIRECTORS, OFFICERS, AGENTS, CO-BRANDERS, OTHER PARTNERS, OR EMPLOYEES WILL BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR OTHER DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER TANGIBLE OR INTANGIBLE LOSSES OR ANY OTHER DAMAGES OR LOSS BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY (EVEN IF VTECH HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM THE SITE OR SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM; THE USE OR THE INABILITY TO USE THE SITE; UNAUTHORIZED ACCESS TO OR ALTERATION OR DESTRUCTION OR DELETION OF YOUR TRANSMISSIONS OR DATA OR DEVICE; STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE SITE; ANY ACTIONS WE TAKE OR FAIL TO TAKE AS A RESULT OF COMMUNICATIONS YOU SEND TO US; HUMAN ERRORS; TECHNICAL MALFUNCTIONS; FAILURES, INCLUDING PUBLIC UTILITY OR TELEPHONE OR INTERNET OUTAGES; OMISSIONS, INTERRUPTIONS, LATENCY, DELETIONS OR DEFECTS OF ANY DEVICE OR NETWORK, PROVIDERS, OR SOFTWARE; ANY INJURY OR DAMAGE TO COMPUTER EQUIPMENT; INABILITY TO FULLY ACCESS THE SITE OR ANY OTHER SITE; THEFT, TAMPERING, DESTRUCTION, OR UNAUTHORIZED ACCESS TO, OR ALTERATION OF, ENTRIES, IMAGES OR OTHER CONTENT OF ANY KIND; TYPOGRAPHICAL, PRINTING OR OTHER ERRORS, OR ANY COMBINATION THEREOF; OR ANY OTHER MATTER RELATING TO THE SITE OR THE SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, VTECH'S LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID, IF ANY, BY YOU TO PURCHASE A VTECH DEVICE OR SOFTWARE. Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for incidental or consequential damages. Accordingly, some of the above limitations may not apply to you.
While the importance of the Chief Information Security Officer has been in constant growth over the past few years, organisations that employ a CISO/CSO are still far too few.
As the latest breach at broadband provider TalkTalk descends slowly into farce, the perils of relying on the CEO to fill these shoes become apparent. Almost one week on from the initial attack many important questions still remain unanswered or answered in unacceptably vague or contradictory terms.
The “significant and sustained” attack against TalkTalk was initially characterised as a Distributed Denial of Service attack. Commentators rightly pointed out that a DDoS in itself does not lead to information theft and that there must have been another element to it. Later reports appear to confirm that the theft was the result of a simple SQL injection attack. At a technology company! Affecting 4m people! In 2015!
TalkTalk are still unable to confirm which and how much data was encrypted. In addition to personal information including name, address, date of birth and email address, the breach also exposed financial data. The CEO initially said that they “didn’t know” if this data was encrypted or not (How can this be the case?). Now, it appears that “only” the first and last digits of credit card data may have been exposed. Of course this still carries risk, think how often those “last four digits” are requested as verification data. Since then Baroness Harding has even gone as far as the last refuge of the wicked, legislation, claiming in an interview with The Sunday Times (paywalled) that TalkTalk is under no obligation to encrypt credit card data. Really? I think that the PCI-DSS may well dispute that point with you, not to mention your customers.
Ah yes, the customers… Those four million people who will now be finding that their names, addresses, contact information and dates of birth are far more difficult to change than their credit card details (or their broadband provider) and that a year of free credit-monitoring involves entrusting yet another corporate with all their extremely sensitive information.
The handling of the breach illustrates that the role of the CISO is never a purely technical one; the CISO also owns the breach response plan, an important aspect of which has nothing to do with technology and everything to do with communications. How do you inform your customers and when? How do you engage law enforcement or forensics? What information do you need always to have to hand about the care and sensitivity with which you treat the information that has been entrusted to your organisation and how do you sensitively, accurately and promptly convey this?
Rule 1: It’s not all about you. To say, “I’m a customer myself of TalkTalk. I’ve been a victim of this attack” is crass and insensitive in the extreme. To include an assertion in your FAQ that you have not breached the Data Protection Act is both short-sighted and ill-informed, as I addressed in this piece for The Guardian.
This apparent lack of plan, this visible lack of any senior Information Security management team could well be the eventual downfall of TalkTalk, time, the markets, the regulators and their customers will decide. We could be watching the first major corporate disintegration as a result of data breach. Welcome to the future.
So, assuming you have or are planning to hire a CISO, to whom should they report? In too many organisations the CISO is still reporting to the CIO despite the frequent pitfalls. This reporting structure can be counter-productive. The question of reporting lines is often a source of friction and can really only be answered if you have managed to effectively differentiate and delineate your CIO and CISO roles.
Job descriptions are slippery amorphous things, so in the interest of impartiality I’ll use Wikipedia’s definition. CIO is “a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals”, whereas CISO “is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected”.
When put this simply, the conflict of interest in having a CISO report to a CIO becomes very clear. The person responsible for ensuring organisational information security can not be subordinated to the person responsible for technology selection and implementation. Rather the two should operate as a team, driving operational and information security up the boardroom agenda. An effective CIO/CISO team will take board level strategic directions and translate them into technological and process requirements for the organisation. The CIO ensures that best of breed technologies are selected and architected in the most operationally beneficial manner, the CISO ensuring that those technologies meet the security requirements of the business on an ongoing basis; neither one being able to pull rank on the other.
In the case of a conflict arising between the two, which cannot be resolved through discussion the final say must comes down to business risk and operations, requiring the involvement of COO, CRO or even CEO depending on the organisational structure.
Security should be a regular boardroom agenda item and it is only through the checks and balances of the independent CIO and CISO that it can be effectively addressed.
In the United Kingdom, as in many other economies around the world, smaller businesses are the lifeblood of national prosperity. In essence SMEs *are* the private sector, according to the Department for Business, Innovation & Skills, they employ more people (60% in the UK in 2014) and generate almost half the total turnover of the private sector (48% in the UK in 2014).
Given the importance of these businesses to the UK economy, Trend Micro decided to attempt to discover just how ready many of these businesses are for the potentially devastating consequences of compromise.
Small businesses represent an attractive target for online criminals for several reasons; of course many of them hold or process a large amount of personal information, identities, legal, financial and medical records just for example. They also have less convoluted financial and banking arrangements, making them easier to exploit with traditional banking malware whilst also being less likely to be compensated for any fraudulent transactions. Quite aside from the dangers of information or financial theft, small and medium businesses are increasingly in the sights of sophisticated criminals looking for ways into larger organisations. In an attack technique that has become known as “island hopping“, determined attackers seek out the smaller business partners of their eventual target in the hope that they will be less security savvy and less well-protected. Fazio Mechanical Services has become the unfortunate poster child of the island hopping attack ever since it was used as a stepping stone to the huge Target data breach in late 2013.
So what did we discover?
We interviewed 500 key decision makers and business owners in UK SMEs to compile the research. Amazingly, only half of them said they rely on internet security tools to protect their organisation from cyber attack. In addition, just 44% said they knew how to check if their laptops, mobiles or tablets had been infected with malware. Three-quarters (74%) admitted to not fully understanding the legal implications of a cyber attack, while 67% said the same was true of the financial implications of an attack.
Tellingly, just 18% said they thought their data was worth stealing.
It isn’t only the internet security industry that is sounding the alarm and offering assistance to SMEs. The UK government too has recognised the threat. Last month Ed Vaizey, the Digital Economy Minister outlined how the voucher scheme, operated by the government’s Technology Strategy Board, Innovate UK would be extended to cover cybersecurity. This scheme offers businesses the chance to apply for £5000 in funding for specialist advice to help better secure their businesses and digital assets. Unfortunately right now there isn’t enough in the pot to cover every application, so lucky recipients are selected in a random draw on a quarterly basis, still as they say, you’ve got to be in it to win it…
in the meantime the key to online security lies in the selection of a trusted security partner. As a small business, your core skills are not in cyber security or network or system administration. You are focussed on growing your business, on being succesful and on being the best in your field, and rightly so.
There are other small and medium businesses like yours who are striving to be the best in their field too and their field is security. A specialist partner, providing a managed security service, will be able to provide you with the assurance and peace of mind that you need to focus all your efforts on success and who knows… You may even get the funding!
The research was conducted on behalf of Trend Micro via Vital Statistics – sampled 500 UK business owners and decision makers in August 2015.
Small Business Advice Week runs from 31st August -6th September 2015. More information can be found here: www.smallbusinessadviceweek.co.uk