Downstream liability makes the case for security spending

As far as FUD (that's fear, uncertainty, doubt) factors are concerned, downstream liability comes up more than its fair share of times. There's only one problem: To date, there haven't been any standard-bearing cases to wave under the nose of our bosses, so they tend to discount the possibility. The real kicker is that we know the potential is still there.

So how do we impress upon executive management the need to protect against something that is basically a very real figment of our collective imaginations? How do we justify funding to protect against this eventuality?

The key is not to overstate the case, because remember, there isn't one ... yet. But, there is a change going on with downstream liability. The focus on liability associated with distributed denial-of-service (DDoS) attacks where the legal grounds were weak, because no single source either caused or could have prevented the attack, is giving way to the more significant issue of business relationships gone sour.

Being generally negligent to the entire Internet, as rude as it is, has no real effect on the actions of many as we are reminded by our monthly "worm-go-round." On the other hand, companies who are specifically -- traceably -- negligent to a valued business partner are a different story. As demonstrated by Blaster in 2003, fast-spreading worms make a connected server or even a laptop a lethal weapon that can attack and spread throughout the entire "chewy interior" of any environment. This capability turns downstream liability into a business problem rather than a legal one.

The way to build a budget to thwart downstream liability is to measure the loss potential of the connections. You should already have a list of private connections, so the next step is to calculate their value. Someti...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach Business partner and vendor security issues New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Vendor risk management: process and documentation Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Shared Assessments Program  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

mes calculating the value is as simple as asking the functional owner the value of the revenue stream. For example, a financial information provider that feeds organizations custom information and charges $100,000 a year loses that money if the client company cuts it off due to security concerns. On the "buy" side of the connection, more in-depth analysis is required to calculate the potential loss to the enterprise's business operations. For example, the speed of receiving the information is reduced, which makes financial trades minutes late, resulting in a reduction in revenue.

Let's look at a few other ways to measure business partner value (disregarding other risks for the moment):

• The costs of opening a fully-staffed offshore development operation rather than contracting with a consulting organization.
• The value of an annual financial audit to auditors connecting to the local network.
• The cost of the lag between just-in-time inventory systems and traditional ones. These costs may include warehouse costs and lost sales.

There are a number of intangibles that also lead to higher economic costs. Downstream liability is not so much about getting sued as it is the potential for being sued, because the relationship has broken down. Nobody really wants to go to court, but there are many ways to let wrath be known, particularly when one party is obviously at fault. The relative impact can be:

1. Renegotiated terms. This is fewer or more dollars changing hands, with your enterprise on the losing end.
2. Eliminated relationships. In cases where there is significant leverage on one side, usually due to competition or size, a severed connection is a reasonable expectation. Strong businesses today understand the technical side of downstream liability and will not stand for connections that increase risk.
3. Embarrassment. In many industries or business communities, reputation is the key to success.

Now that you've considered the business value of the connection (do that first), it is time to return to the legal impact of downstream liability. Gather information about legal costs including hourly rates and operational expenses. Any large company typically has many regular active legal cases to draw from. Then get a legal opinion about what is considered "reasonable" precautions and what the duties are to reduce liability.

Downstream liability may never happen in the courts, but you can be sure its effects are felt already throughout the world of business partner relationships. Leading with business value and following with legal costs, you can make your best case for security spending.

About the author
Pete Lindstorm, CISSP, is research director for Spire Security and a columnist for SearchSecurity.com's sister publication Information Security magazine.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.