For long-time cybersecurity industry veterans, we’re in an age that once we never thought possible; cybersecurity has moved from a backroom, “IT-only” relegation to a top-of-mind business objective.
Right where we always thought it should be.
However, this new era of cybersecurity accountability and regulation has yet to be fully disseminated throughout corporate culture and the broader public consciousness. Despite laudable industry efforts, strengthened government requirements, and a good deal more C-suite visibility, the message has yet to hit home everywhere: cybersecurity is everyone’s responsibility.
We Sink or Swim Together
In today’s vastly connected digital world, we are all connected within it as participants of this voluntary digital contract. If your healthcare data is stolen from XYZ company’s database, mine (and potentially millions of others) was likely, too. But this is no new news, and the public has long clamored for increased digital privacy—and, thankfully, gotten it.
How does this apply to businesses? There is no more room for any organization that is connected to the internet in any way, or that uses a SaaS application, or that stores a single piece of personally identifiable information (PII) to think that they’re off the radar of attackers.
Every company, from the smallest mom-and-pop to the largest government defense contractor is connected to a vast ocean of shared digital information, and threat actors can pull in at any port. If you’re not a ‘major player,’ you’re likely connected to one via the supply chain. And if you’ve somehow managed to avoid the physical supply chain altogether, you’re likely still drawing your source code from open-source databases, or engaging with SaaS platforms, or utilizing applications that have open-source code pulled in. For context, the average SMB uses an average of 253 SaaS apps.
What does this mean?
Shared Responsibility Is Not Just for Cloud
For anyone operating on one of the major cloud platforms, the shared responsibility model is nothing new. AWS notes that this “shared responsibility between AWS and the customer” entails AWS protecting the cloud itself, while customers protect what’s in it. As they explain, “customer assumes responsibility and management of the guest operating system (including updates and security patches), [along with] other associated application software as well as the configuration of the AWS provided security group firewall.”
So, even when a business engages with the highly secure Amazon Web Services, more cybersecurity controls, technologies, and policies must still be put in place before the organization’s total cloud-hosted assets can be responsibly considered secure against today’s rapidly evolving cyber threats.
While there is not an official name for it, this same model (Shared Responsibility) applies more and more to third-party risk.
Think of Third-Party Vendors
Companies that take on third-party vendors know the inherent insecurity of sharing cyber immune systems. What can happen to one (usually the smaller supply chain partner) can easily infiltrate the other, as devastating indirect attacks on Target, Maersk, and SolarWinds have shown us.
US federal regulations like DFARS and CMMC mandate that certain cybersecurity requirements be observed by businesses working with the Department of Defense (DOD), and the EU’s nascent DORA deals directly with third-party regulation. Current frameworks are even being retrofitted to include more supply chain considerations. The NIS2 Directive (EU), out last February, requires covered entities to take a risk-based approach to third-party management, which means carefully assessing the risks of those organizations before inking contracts, especially when it comes to critical infrastructure. And NIST 2.0 adds new supply chain and third-party risk management controls under the new ‘Govern’ function.
These are regulations for organizations taking on third parties, not the third parties themselves. This proves that while a supply chain weakness may be ‘somebody else’s fault,’ the ultimate legal responsibility belongs not only to the third-party vendor, but also the institution that took it on. Today’s legislation acknowledges in writing that cybersecurity is, in truth, everybody’s responsibility.
What About Users?
Today’s users also are beginning to understand the need to watch out for themselves online and assume some share of responsibility for their own digital safety. Data privacy laws protecting individuals’ rights have cropped up all over the world – in 137 countries total, so far. Starting with GDPR, other non-European countries came out with their own data privacy laws within the next few years (Brazil, Thailand, China, Saudi Arabia, and India), illustrating the responsibility governments feel to enact cybersecurity laws to protect their citizens – and the general consensus that the public expects them to do so.
And users aren’t above taking care of themselves. Besides calling for increased government protection, over a third of Americans are now using password managers, and 75% of adults in the UK and Spain feel that tech companies have excessive control over their personal data.
Cybersecurity Accountability
Ultimately, cybersecurity is everyone’s responsibility because the fallout affects us all when something goes wrong.
When a company goes through a data breach – say it’s ransomware – a number of people are held to task, and even more are impacted.
First, the CEO and CISO will rightly be held accountable. Next, security managers will bear their share of the blame and be scrutinized for how they handled the situation. Then, laws and lawmakers will be audited to see if the proper rules were in place. The organization will be investigated for compliance violations, and if found guilty, will pay regulatory fines, legal costs, and maybe lose professional licenses. If the company cannot recover from the reputational damage, revenue will be lost, and jobs will be cut.
Lastly, and most importantly, the users who lost their data can likely be impacted for years, even a lifetime. Bank accounts and credit cards will need to be changed, identity theft will be a pressing risk, and in the case of healthcare data breaches, sensitive, unchangeable information could be leaked or used as blackmail against the victims.
Shared Responsibility: The Best Preservation Instinct
The burden of cybersecurity rests with us all. There is an old saying attributed to Dale Carnegie: “Here lies the body of William Jay, who died maintaining his right of way— He was right, dead right, as he sped along, but he’s just as dead as if he were wrong.” Even if cybersecurity was ‘somebody else’s’ responsibility, we would still be impacted in some way if things went wrong. So, for our own best interest, we’d better make it ours.
Learn more about email security, EDR, and security awareness training, and see how VIPRE can enhance your security posture and protect your organization against cyberthreats.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
