Reasonable cybersecurity in 2019.
What does it look like at an organization like yours?
How are courts and legal fights defining reasonable cybersecurity right now?
"One of the things I’ve seen in my years of experience of walking companies through incidents," says SpencerFane Cyber Attorney Shawn Tuma, "is that you can really see a difference between those organizations that really care about security and those that are just going through the motions and checking off the boxes."
We did an extensive interview with Tuma after he spoke at a regional SecureWorld conference.
Defining reasonable cybersecurity in 2019
Watch the video or see excerpts from his interview (below) about reasonable cybersecurity.
[SecureWorld] How do you define reasonable cybersecurity right now?
[Shawn Tuma] None of us know how to define reasonable cybersecurity, but we know we need to have reasonable cybersecurity.
From a bigger picture, reasonableness is defined by your company itself. You have to start the process with a risk assessment, you have to look and see what is the risk my company faces? You have to prioritize it, you have to develop a plan. Then you implement appropriate polices, procedures, tools, strategies.
[SecureWorld] Can you offer security leaders some specifics on things courts and legal counsel will look at following a cyber incident?
[Shawn Tuma] There are certain basic hygiene fundamentals that everyone should be doing, at this point. Do you have cybersecurity focused policies and procedures, are you training your employees on those policies and procedures, are you training your workforce on phishing, on social engineering, things of that nature.
Do you have things in place regarding password usage? Whether it’s the new NIST preference for longer pass phrases, or the old standard of complicated passwords, are you doing something?
Do you have multi-factor authentication (MFA) in place for sensitive access? Are you backing up your data, do you have segmented backups?
[SecureWorld] What you're describing is a significant amount of work. What if you haven't tackled all of these things at this point?
[Shawn Tuma] Get started and prioritize them because no one can do them all at once – and nobody expects that.
But when you can show that you’ve done those things, and you can show you’ve made legitimate efforts to combat the risk that your company faces, then even when you do have an incident, it makes you look so much better in the eyes of the regulators, the judges, the attorneys.
[SecureWorld] We heard you say that demonstrating reasonable security is a little like math class. What did you mean by that?
[Shawn Tuma] When you can show that process, you really are showing your work like we learned back in grade school. And that's what is important to help avoid a lot of the liability type issues we’re seeing these days.
People are more sympathetic to those that have given their best, even if they come up short."
We'd like to thank Shawn Tuma for his help with SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.