A threat risk assessment will help you identify key threats and assets, and also help…
What You Need to Know About “Reasonable Cybersecurity”
I was privileged to lead Hitachi Systems Security’s webinar titled “The Developing World of Cyber Litigation and Compliance” (you can find the recording here).
The Key Takeaways Our Audience Highlighted:
- The threat of litigation and increased compliance on organizations that retain their customers PII (Personally Identifiable Information) has never been greater and will undoubtedly intensify.
- The law requires organization to have “reasonable” cybersecurity defense
- Reasonableness is based on several factors including data sensitivity, the quantity of the information held by an organization, potential harm to consumers of the data loss, as well as other factors
- Compliance and reasonable cybersecurity often do not overlap and certainly good compliance does not guarantee good security
- Reasonable cybersecurity is best assessed by those who are familiar with industry best practices and leading edge cybersecurity assessment tools and techniques.
Requirements for “Reasonable Cybersecurity”
The main point to remember when you are assessing the reasonableness of your cybersecurity measures is that you need to have an accurate knowledge of your actual security posture. You need to map your assets, controls, obligations and have an understanding of where the gaps or vulnerabilities may lie. This implies that technical testing must be conducted, such as:
- penetration testing (see Andrew’s webinar “Learning How Hackers Hack”),
- vulnerability assessments,
- conduct a risk assessment and decide which risks you will address immediately or at a later moment,
- cybersecurity posture assessments to understand where you are and where you need to go in terms of security
What’s important is that you must be able to explain which choices you made, and why you made them.
In other words, you must be prepared to explain why are your choices reasonable in the context of your organization. And most importantly, you need to anticipate threats in order for your organization to remain within the realm of reasonable cybersecurity.
To do this internally requires a serious commitment both financially and from a staffing perspective. At a minimum, organizations often outsource periodic technical testing; and as they move along the continuum of implementing a “reasonable” cybersecurity program, they often find the cost/benefit of focusing on their business, their strengths as an organization and leaving cybersecurity to the experts is overwhelmingly positive in the long run. This is especially true for small and mid-sized businesses that are particularly vulnerable to data breach litigation and whose customers are likely to abandon the organization is any personal data is exposed in a breach.
Data Breach Litigation: Government vs. Private Corporations
Attendees also had interesting questions pertaining to the topic of litigation facts and trends. One of them was whether there are any differences in data breach litigation against government entities as compared to litigation against private corporations. The question is relevant, given that, traditionally, in Canada, if a governmental entity was the defendant, it was not liable in tort for the damage their employees or decisions caused to another, whether intentional or by negligence. Currently, all Canadian provinces and the federal government have rectified this anomaly by passing legislation which categorizes the public body liable in tort just as a normal person is categorized.
Is the term ‘reasonable’ subject to change each time a new, more advanced attack occurs?
The short answer to this is ‘yes’.
For instance, the definition of what constitutes a ‘good’ password has evolved with the threat. There was a time where merely having a password, even if it was the name of your pet, was considered reasonable. Today, diligent businessmen use software to generate complicated passwords held in a vault by another complex master password. In cybersecurity, the notion of reasonableness evolves with the knowledge of threats. That’s why it’s always recommended to opt for industry’s best practices as opposed to aim for merely compliance, as there may be a gap in between. Practices evolve more rapidly than standards, which evolve more rapidly than legislation.
No Escape From the Storm
The bottom line is that organizations cannot avoid the responsibility and subsequently the coming storm of litigation and compliance that will go along with collecting and retaining their customer’s credit card numbers, social security, and other PII. In order to protect itself and its customers for that matter, organizations must establish a “reasonable” cybersecurity program or find itself in court or at the mercy of various commissions tasked with monitoring compliance and penalizing companies who don’t comply. The consensus among the experts and what I hope was communicated in our presentation is:
- Locate the sensitive data in your environment
- Perform assessments to identify vulnerabilities including vulnerability assessments and penetration tests and
- Emulate best in class cybersecurity procedures whether you put those in place yourself or hire outside so that you can focus on your business.
Access our webinar “The World of Cyber Litigation and Compliance” here: