A recent Acunetix study of over 15,000 websites and 5,500 companies unveiled startling numbers. Network scans performed on over 1.9 million files revealed that…
- Almost four in five web applications were affected by "medium security" vulnerability.
- Nearly 50 percent of web applications had "high security" vulnerability.
The vulnerabilities were the usual suspects, including XSS and SQL injections.
The alarming conclusion? Organizations with web apps containing high security vulnerability would fail to comply with the financial industry's PCI Data Security Standards. For IT consultants and tech contractors, this report confirms your fears – your clients are an errors and omissions lawsuit waiting to happen.
Their Risk Is Your Risk: Sharing E&O Liability with Clients
Let's take a step back and examine your responsibilities as an IT professional. You're responsible for doing your job well and protecting clients from security risks. If you fail to do this, you can be sued over professional negligence.
You can't prevent all security incidents, but you are responsible for taking reasonable precautions to prevent them. To put it another way, you need to follow and implement best practices.
Unfortunately, your clients can make this hard for you to do. For example…
- A client insists on using obsolete software. (See the post "End of Windows Server 2003 Support & Your Associated E&O Risks" for more on this topic.)
- A client is slow to patch a flaw. (Learn more about software patches in the post "Software Patches: The Good, the Bad, and the Liability.")
- Small budgets mean clients don't invest in training and education to encourage proper "cyber hygiene." (To see the benefits of client training, read "Your Most Powerful Anti-Data Breach Tool (Spoiler: It's Client Education).")
In the real world, IT is always going to be less than optimal. With budgetary compromises and conflicts with upgrading and implementing new software, clients are going to be using flawed technology.
The Skinny on Errors and Omissions Insurance
If a client's data is compromised as the result of an SQL injection, your client might have to pay for:
- Network repairs.
- Notifying customers about a breach.
- Providing credit-monitoring services.
- Breach investigations.
- PR campaigns to rebuild their reputation
And these costs can add up in a hurry. IBM and the Ponemon Institute estimate the average cost of a data breach in 2015 was $3.79 million – up 23 percent from last year. To learn more about covering these costs, read "Why Your Clients Need Cyber Liability Insurance."
Faced with a hefty bill after a security incident, clients could sue you to recover money for the damages. In a lawsuit, their lawyers may argue that the IT you installed was faulty and the breach could have been prevented (as is the case in many SQL injections).
If the court can find evidence that you should have done more, you could lose the lawsuit. Even if you took all reasonable precautions to protect your client's data, you would still have to defend your company from the lawsuit. And that will be expensive.
Many IT consultants invest in Errors and Omissions Insurance to offset the costs of expensive lawsuits – and many client contracts will require it. With risks abounding on 80 percent of web apps, be sure to protect your company from the high cost of IT lawsuits.
