IT consultants bear the brunt of cyber security risks. Here’s what to do about it
In a year already marred by economic carnage as a result of COVID-19, cyber security failures are on the rise. One of the fastest growing risks is digital threats. Self-employed IT consultants present an attractive target for cyber-criminal groups looking to make an easy buck, given tech professionals’ access to big target clients. In fact, according to Ponemon Institute
research, 67% of companies don’t assess the security of their vendors.
Across Canada, close to 90% of IT consultants
provide services to clients via their own limited companies. Being an independent IT contractor comes with some great perks. Self-employed consultants often charge more per hour than an employee in a similar position. But it comes with risks too.
Jeff Cartwright, VP of S.i. Systems, caught up with Vishal Kundi, Vishal Kundi, CEO & Co-founder of BOXX Insurance
to discuss risks and exposures to IT consultants and the businesses that engage them. BOXX is taking a pioneering approach to protect both companies and IT consultants from their respective cyber liability exposures, and Vishal has some great advice on the topic.
Jeff: Many consultants are having to consult on client projects from home. What does this do to cyber risk exposure?
Vishal: The work-from-home phenomenon has made both companies and consultants more vulnerable. The rapid uptake of often newly deployed and untested technologies such as video conferencing software and VPNs has left workforces exposed. When an entire workforce, as well as project-based consultants, are remotely accessing your network, it’s harder to spot an attacker.
Jeff: How has the slowdown in the market impacted their cyber exposure?
Vishal: On the back of their clients freezing IT contracts and a marked slowdown in the amount of work coming their way, consultants are seeing more uncertainty than they have for many years. Cyber criminals have been successfully exploiting the market uncertainty. There has been a noticeable rise in job seeking phishing scams, for example. Attackers take advantage of people’s anxieties, tricking them into clicking on malicious links, delivered under the guise of urgent updates or government support.
Jeff: Some of the most devastating breaches in the past few years have been rooted in the security weaknesses of third-party contractors, and in fact, hackers themselves admit that contractors are often their primary target. Cases in point are Target and more recently, Uber, Facebook, Instagram, and GE. What are some of the top threats facing IT professionals?
Vishal: The stories of successful cyber attacks we read in the media often result from access provided to IT contractors and third-party vendors. This is leading to a changing mindset amongst more security-conscious and larger enterprises. Malware, ransom attacks, and phishing remain huge threats. The costs can be crippling for all parties.
Jeff: In these disaster scenarios, where the IT contractor is the weak entry point for a hacker, is it possible to estimate the cost to the client of not thoroughly vetting and evaluating the security protocols of the consultants?
Vishal: Statistics are emerging. Third-party caused breach costs, on average, are thought to be twice those of a normal breach. According to Ponemon, considering the impact to brand reputation, loss in business, and possible decreases in share value, the overall cost of failing to effectively vet and evaluate third parties is about $13 million.
Jeff: What about cyber liability exposure? Are you seeing big firms pay more attention to IT consultants they work with and holding them accountable for incidents they caused?
Vishal: Yes. Successful cyber attacks typically result from employee error or access through less secure contractors. This has led new strategies amongst large enterprises that allow third parties access to their corporate data and systems. The most targeted industries are financial services, technology, media, and telecoms – all of which are heavy users of IT consultants.
Jeff: Do you see IT consultants being sued in the future by clients for cyber security failures they cause?
Vishal: The big question for IT consultants is whether companies that employ them will try to push the burden onto those working in the area of the business that was compromised. It’s easy to see that clients will be less forgiving in the future where a contractor’s lapse in security has caused them to experience substantial damage to their business and brand due to a privacy breach caused by the consultant.
The contracting firm may look to make scapegoats of the individual independent consultants that were to blame. With so many projects looking to speed up delivery, cut costs, or implement new technology, it is a surprise that there have not been more ‘trickle down’ lawsuits.
Jeff: What advice do you have for client firms and contractors to reduce the chances of a crippling cyber attack?
Vishal: For client firms, it’s essential to have the three following measures in place to:
(1) continuously assess the vendor’s security standards and best practices to determine if they meet those of your organization,
(2) ensure that all contracts contain clauses detailing their obligations for their own employee background checks as well as accredited employee data security training, and
(3) Both client firms and consultants should invest in cyber insurance as well. We are seeing client firms mandate IT contractors to carry varying limits of cyber insurance and not only that, we’ve seen that trickle down to subcontractors.
We’ve seen $1M to $10M limits being requested, depending on the nature of the engagement and size of the contract. This is a good investment as it could save exposure to hundreds of thousands of dollars in damages, if not more.
Jeff: These sound like sensible and pragmatic steps. How is BOXX helping clients and IT contractors with these measures?
Vishal: BOXX designed Cyberboxx Pro to meet this exposure gap. The coverage includes the third-party liability coverage clients are demanding of IT consultants and it also includes accredited employee cyber awareness training modules and assessment. This ticks a huge box to protect businesses, but it also provides IT contractors with an edge to win new clients who are increasingly cautious about whom they allow to access their systems.
Connect with Jeff
on LinkedIn and continue the conversation.