Reasonable Cybersecurity Measures

There are two facts about cybersecurity that are undeniable:

1.) No business entity is immune to cybersecurity risks.
2.) There is no singular, “one-size-fits-all” answer to mitigating cybersecurity risks.

With that in mind, what should we be doing to ensure we have done what is necessary to protect our organizations’ data from malicious actors?  The law would say we must do what is reasonable.  I’m no attorney and am not offering a legal opinion here, but I am offering that there are many ways to answer the question, and the total cybersecurity effort is significant, regardless of the organization’s size.

In the law, negligence uses the “reasonable person” standard as the standard of care that a reasonably prudent person would observe under a given set of circumstances. An individual who subscribes to such standards can avoid liability for negligence.  With respect to cybersecurity, there is yet no singular definition of reasonable cybersecurity measures. State and Federal governments have weighed in.  For instance, recently (February 2016) the California Department of Justice set forth its definition as “security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure”.  Other government entities have set forth “reasonable cybersecurity” definitions included in legislation like Health Insurance Portability and Accountability Act (HIPAA) and Gramm Leach Bliley, as has industry standards such as PCI DSS (Payment Card Industry Digital Security Standard), among others.  The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) has issued a Framework for Improving Critical Infrastructure Cybersecurity that is useful to any organization seeking cybersecurity guidance.  The Center for Internet Security (CIS) has issued guidance for effective cyber defense.  The list goes on…

All that said, the critical components to a reasonable cybersecurity posture and the measures to mitigate risks are common across the many regulations and security frameworks.  We attempt to outline those components here and suggest each business entity assess internally, or via external expert, review their own measures to determine if their cybersecurity controls are ‘reasonable’:

1.) Establishment, communication, acceptance and deployment of information security policies that define the measures the organization will take to protect data.

  • This includes developing a security incident response plan to address identified breaches, contain the breach, eliminate the root cause, recover lost data, and communicate to affected parties in compliance with federal, state, and local regulations.
  • Setting force in policy the requirement for complex, long passwords at every layer of the infrastructure and in applications – the longer the better.
  • It is critical that the information security policies are followed – having policies in name only provides no assurance, and worse increases liability after the fact if knowingly ignoring sound policy.

2.) Regularly, if not continually, assessing information risk in the environment with any current hardware, devices, and software in use or any proposed additions, modifications, or introduction of new technology into the environment, then taking measures to mitigate the cybersecurity risks identified.

3.) Providing regular information security training to all users of the organization’s information technology – it has been proven time and time again that people are the biggest security risk!  Train well, train often, to create an information security-minded culture.

4.) Documenting the technology environment including all hardware and physical devices that can store the organization’s data and the software and applications in use or allowed by the users of the organization’s data.

  • Ensuring that the above hardware, devices, and software are current with respect to security patches. This can be an arduous task, but a necessity in any environment.
  • Deploying and keeping current antivirus and anti-malware protection at all layers of the environment.
  • Utilizing web filtering tools to limit internet access to business-relevant content.
  • Encrypting data at rest and in transit wherever possible.
  • Performing regular backups – as often as the organization is capable – to ensure restoration of data to a point prior to a breach, say, a ransomware infection, that allows business to continue while the breach is investigated and limits data loss to the amount of time from backup to infection.

5.) Administer user access to systems and data through a defined process that is based on the Principle of Least Privilege and restricting administrator/super-user privileges to the bare minimum few users with absolute need.

  • Require multiple managers’ approval to create new user accounts.
  • Execute the timely de-provisioning of access for terminated or departed users.
  • If practical and economical, deploy multi-factor authentication.

6.) Limit access points to your data: use secure wireless networking, close or restrict access to ports, and require VPN’s or other secure remote access tools, for example.

7.) Implement a defense-in-depth strategy (protecting a computer network with a series of defensive mechanisms such that if one fails another will identify and stop the attack).  For example, deploying a properly configured firewall to protect the perimeter of your network by managing incoming and outgoing traffic is essential practice, but the network should also have an intrusion detection system (IDS) to provide another layer of perimeter security.

8.) Monitor network activity and identify unusual behavior for investigation (large amounts of data exiting through an obscure port, for example), then executing on the defined security incident response process if a breach has occurred.

9.) Apply common sense – obtain expert input into the cybersecurity defenses where the knowledge or skills do not exist in the organization.

As we said before, this is no small task just to be ‘reasonable’ with cybersecurity measures, but there are many resources (NIST, PCI, COBIT, ISO, CIS) and consultants that provide guidance.  It takes attention, planning, diligence, and determination to ensure your cybersecurity measures are reasonable. Finally, since the legal definition varies, seek counsel from your attorney to ensure you have taken the necessary actions in your cybersecurity program.

Resources:
NIST Cybersecurity Framework: http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm
PCI DSS: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
CIS Critical Controls: https://www.cisecurity.org/critical-controls.cfm
Control Objectives for Information and Related Technologies (COBIT): https://cobitonline.isaca.org/
California DOJ Breach Report: https://oag.ca.gov/breachreport2016