Defining Reasonable Cybersecurity

Defining Reasonable Cybersecurity

reasonable cybersecurityHow to define Reasonable Cybersecurity for your organization

If your organization is hacked, have you considered the legal ramifications of a potential cybersecurity data breach? Let’s look at the Equifax breach. The most recent headline was about the insider-trading charges that were brought against a former employee. He sold stock and options after learning of the massive data breach at the credit reporting agency. What’s next for Equifax?

The problem with the Equifax breach is that the hackers found their way in through a known vulnerability. The entire episode could have been avoided with a simple patch policy. (Have you heard about PREtect?)

According to the National Law Review, Equifax is potentially in Violation of the Fair Credit Reporting Act: As a “consumer reporting agency” under the Act, Equifax was required to “maintain reasonable procedures designed to … limit the furnishing of consumer reports to the purposes listed” in the Act. See 15 U.S.C. § 1681e(a). Consumer plaintiffs are alleging that a failure to fulfill this duty under the Act allowed the data breach to occur, likely requiring experts in the credit reporting industry who are knowledgeable about the standards of information management and measures taken by other credit reporting agencies to maintain data security.

Consider Reasonable Cybersecurity

Shawn Tuma is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas. As someone who works in cyber law on a day to day basis, see his advice below. (Check out his videos here.) 

Based on his short but informative SecureWorld interview, Mr. Tuma says that Reasonable Cybersecurity should be defined by each organization. What is reasonable for one company may not be reasonable to another.

Along with Mr. Tuma, we recommend that the journey to define Reasonable Cybersecurity for your organization should begin with a risk assessment. This assessment will help you determine any potential risks that your company may face.

Once your risk assessment is complete, the next step is to create a plan and prioritize to the put those policies, procedure, and tools in place.

To show that your organization has achieved reasonable cybersecurity, you have to take legitimate steps to combat the risks that your company faces. If a breach happens, you will be able to show that you have done what you could to prevent cyber incidents.

Are you checking the boxes?

Many times, we have seen organizations that are looking to purchase a tool or run a quarterly scan or assessment just to check the compliance box. There’s so much more to creating an environment of reasonable cybersecurity than just having the tools in place.  Mr. Tuma recommends starting with these fundamentals of cyber hygiene:

  • Create cybersecurity policies and procedures
  • Training your workforce on those policies
  • Create and enforce password policies
  • Utilize multi-factor authentication
  • Back up your data

Related: Top Cyber Security Websites


Traditional SIEM vs. Next-Generation SIEM

Reasonable Cybersecurity with Cybriant

Cybersecurity Emerging Trends: Law Firms Targeted

Cybersecurity Emerging Trends: Law Firms Targeted

Law firms and their clients’ sensitive information are a treasure trove for hackers. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems.

Law firms are seen as high-value targets for the rapidly growing use of ransomware and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.

Here are some recent high-profile cyberattacks in the legal industry:

DLA Piper ransomware attack

Panama Papers

Cravath and Weil Gotshal

According to the BitSight’s Fourth Annual Industry Index Report, Legal service providers are arguably one of the most widely used third parties across the world, supporting some of the world’s largest banks and other well-known organizations. To steal intellectual property, trade secrets, and other sensitive information from companies with strong security measures, cyber criminals may target their outside counsel rather than the company itself.

Hackers attack legal providers because they may have weaker security measures in place. Compared to other industries examined, BitSight finds that companies in the Legal sector actually have high-security ratings and low rates of vulnerabilities that could lead to man-in-the-middle attacks. Despite these findings, the industry remains a key target for cyber criminals.

The Legal sector had the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail.(BitSight Security Ratings measure the security performance of organizations. These ratings range from 250-900, with a higher rating indicating better security performance.)

More than 60% of organizations examined from the Legal sector are exposed to DROWN, a major SSL/TLS vulnerability.(DROWN is a vulnerability, discovered earlier this year, that could allow a criminal to decrypt secure communications and potentially expose information sent over HTTPS, such as passwords, usernames, and credit card details.)



Update web server configurations
IT security teams should update their security protocols and ensure that the most recent patches have been implemented across the network.

Invest in training for employees
Employees should be aware of the cyber risks they encounter when surfing the web. Clicking on suspicious online ads, for example, can introduce vulnerabilities into the network. More on cybersecurity awareness training. 

Continuous security monitoring
Teams should strive to continuously monitor the cybersecurity posture of their law firms and other legal service providers (alongside other critical vendors) to ensure that no new threats emerge through these third parties. More on continuous monitoring. 

Establish cybersecurity benchmarks
Organizations should establish security benchmarks to help them take appropriate action depending on changes in the security posture of their own organization or their critical third parties.

Discuss cybersecurity with Board of Directors
Successfully protecting an organization from cyber attacks requires a team. Organizations should add cybersecurity to Board-level discussions.


Examples of Ransomware: 7 Cyber Security Trends To Fight Back


→ Read Next: Lessons learned from Equifax Cybersecurity Hack 

Free Cybersecurity Training Tools