Your customers are worried about getting sued, but what about you? I’m talking about performing a security risk assessment, then the customer gets hacked a week later. You told them everything is secure, but it turns out it wasn’t. Now they’re blaming you. Maybe they think it’s your fault, maybe they just want someone to blame, or maybe suing you is simply the only way for them to file an insurance claim. Just because they’re good guys doesn’t mean they won’t end up suing you.
You might be thinking “big deal, just get insurance”, but unfortunately that might not help you in some cases. If for whatever reason they believe you’ve done poor quality work, your insurance company may very well deny your claim.
I see some scary stories in the news once in a while, including just recently: A security company was sued for making false claims. The short version of the story: the company performed a forensics investigation and missed key details of a network breach that allowed credit card thieves to maintain their foothold during the 2 1/2 month long investigation. They thought they had identified the source of the data breach, but it turned out they hadn’t. The security company’s competitor later found that the malware had never been fully removed. Not a good situation, and grounds for a lawsuit.
In any case, there are many things you or your company can do to help reduce the likelihood of getting sued. Today we’ll focus on the human element:
- Be honest.Don’t simply tell your customer what they want to hear. Stick to the facts and don’t make things sound better or worse than they are.
- Define rules of engagement and stick to them.Some companies have sued security testers for brute-forcing passwords during a penetration test without first seeking permission. You might think that would be safe, but not necessarily! For anything debatable, always get approval from the customer in writing – an email at least.
- Choose your words carefully.Telling a customer their application is secure is different than telling them you didn’t find any high risk vulnerabilities within the 40 hours you spent testing it. Be assertive, but make sure your statements are accurate. This is engineering, not creative writing — Strive to write accurately and concisely. You’re not trying to give the customer a rough idea of what the problem is — You should be telling them exactly what the problem is, and to the best of your ability, how bad it is.
- Don’t make assumptions.Security vulnerabilities generally result from developers who made poor assumptions. Don’t make the same mistake. Every assumption you make is another error waiting to happen. If things can’t be verified and assumptions must be made, that’s fine, as long as you make these assumptions clear. Let the customer continue on where you left off — They will understand.
- Be careful giving remediation advice.Obviously Critical and High risk issues should be fixed, but what about Medium’s and Low’s? Don’t let your customer trick you into making that type of decision for them. Fixing vulnerabilities or not fixing vulnerabilities is up their CISO, CSO, CEO, security director, development manager, or whoever owns the application/system/ data. Tell them how bad it is or how minor it is, but don’t actually make that decision for them.
- Be friendly and professional.Customers can be challenging, but it is important to stay positive. They’re not the enemy, even when they’re being unreasonable or even when they’re wrong. Do your best to stay on their good side so if things go south, they will hopefully give you the benefit of the doubt and allow you to work things out peacefully.
- Engage the law, if necessary.This is rare, but occasionally you might run into some crazy stuff that is simply illegal. Who do you notify? The customer POC? The CEO? The police? That’s not always an easy question, especially when you have no idea who’s at fault. If you tell the company, it’s possible they might just cover it up and not notify the million customers whose records were exposed (there are regulations requiring that customers be notified).You don’t want to be stuck in the middle of a cover-up or illegal activities and end up sharing the blame. Consult with your team before notifying anyone else and collect as much evidence as possible to backup your claims.
- Don’t draw conclusions without evidence.Even if you think you know how a security risk assessment will end, you still need to do the assessment, collect evidence, and go through all the usual steps. Try not to be biased. Just because you think you’ve seen this a hundred times before doesn’t mean you should go in with only the barest amount of information.
Some of the easiest ways to make sure you’ve covered your legal bases will be making sure you and your client are on the same page. If something goes wrong, your ability to keep them up to date may at least save you from being sued. Next time, we’ll talk about what you need to do in your business to avoid being sued.
By Paul Mendelson