Understanding Cybersecurity Negligence
Negligent behavior will most likely NOT be covered by your insurer in the event you are taken to court. Every insurer uses its own description for negligent behavior. However, in terms of IT security, negligent behavior can be defined as not following industry-recognized best practices or failing to meet ALL compliance requirements. A single negligent breach can close your business forever, because liability insurance may not cover IT security-related negligence. The devastating effects of non-compliance with statutory, regulatory and contractual requirements have the ability to bankrupt a company.
An IT Security Program Is Meant To DECREASE LIABILITIES while at the same time IMPROVE EFFICIENCIES!
Avoiding Professional Negligence Is Good For Business! The goal of IT security documentation is to build an IT security program for your company that decreases liabilities, while at the same time improves operational efficiencies – this equates to bottom-line savings for your company!
#1 - If your company accepts credit cards, advises on financial matters, provides healthcare services, or maintains any sensitive Personally Identifiable Information (sPII) on clients or employees, then you are responsible for certain compliance requirements. These standards, dictated by the regulation or requirement, establish the objective benchmark for what “reasonably expected” IT security protections should be in place.
#2 - If your company does not meet the minimum standards of a compliance requirement, that deficiency is evidence of negligence. Negligence can be as simple as outdated antivirus software, weak passwords, unencrypted wireless, unpatched operating systems, or inadequate IT security documentation. Ignorance is not an excuse!
#3 - Negligence is demonstrated by a lack of documented due care and due diligence. If you are taken to court, a prosecuting attorney’s aim likely will be to prove negligence. Without documented due care and due diligence, the task is made easier to prove negligence and allow damages to be awarded to the plaintiff.
#4 - The ramifications of being “negligent” can be devastating for a company, since most insurance policies have a “negligence loophole” built in that precludes insurers from having to pay out. The bottom line is your company may have to pay all fines, damages, and legal fees on its own, without any insurance reimbursement.
A single negligent event can cause a business to go out of business forever, since liability insurance may not cover professional negligence for IT security-related incidents. The simple rule of thumb is if you are not in compliance with what you are legally obligated to do, then you are professionally negligent.
Procedures Operationalize Policies & Standards - This Is A Key Concept To Avoiding Negligence
We leverage the Operationalizing Cybersecurity Planning Model in creating a practical view towards implementing cybersecurity requirements. Organizations are often not at a loss for a set of policies, but executing those requirements often fall short due to several reasons. Standardized Operating Procedures (SOPs) are where the rubber meets the road for Individual Contributors (ICs), since these key players need to know (1) how they fit into day-to-day operations, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the organization's cybersecurity business plan is attempting to achieve.
The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.
The diagram below helps show the critical nature of documented cybersecurity procedures in keeping an organization both secure and compliant: