Reasonable Risk - What is it?

 

A cyber-attack happens every 39 seconds (Vuleta, 2022). For this reason, businesses have a legal obligation to implement a “reasonable security posture” (Alliant Cyber Security, 2019). They must provide adequate security to keep private and sensitive data safe. Because of the quickly changing landscape of cyber-security threats, it’s difficult to expressly define what measures are deemed “reasonable security.” Consequently, “reasonable security” definitions are kept very high level and vague. Legal action can and has been taken against companies who became victims of cyber-attacks.

In 2017, shareholders issued a derivative law suit against the credit reporting agency, Equifax (Alliant Cyber Security, 2019). The shareholders won the suit after proving Equifax:

1.      Failed to implement an adequate patching process

2.      Failed to use adequate encryption levels

3.      Failed to implement adequate authentication process

4.      Failed to adequately monitor their network for security breaches

5.      Stored sensitive data in easily accessible public channels

6.      Relied on obsolete, outdated software

7.      Failed to archive obsolete data

There are many standards that can be used to help determine and implement an adequate level of computer system security. The Center for Internet Security Critical Security Controls (CIS CSC) details a reasonable security posture, upon which secure environments are able to be built (Alliant Cyber Security, 2019). In 2016, California Attorney General, now Vice President Kamala Harris released the California Data Breach report 2012-2015 that among other things stated that the 20 controls in the CIS CSC define a minimum and adequate level of information security. California set a precedence by requiring proof that the companies security baseline is at an adequate level to protect its customers, hopefully other states will follow their example.

There needs to be a balance between security and the ability to perform work. A few years ago, our company hired an external security consultant to come in and make our network as secure as possible. One consultant came in, we were told to give him access to everything, and he spent about 3 weeks in our lab, we had very little insight into what he was doing. At the end of the 3 weeks, he briefed management, and left. We were told our network was now super secure and we should continue to support the environment. As soon as we logged in, we quickly noticed there was very little on the network that was actually still functioning. The network was so secure, nothing was working. For starters, none of our security applications worked such as: antivirus, Windows patching, Tripwire, and Logrhythm. Some of the very software that was needed to help protect our network was no longer functioning. Email and print services didn’t work, among other things needed for users to perform their basic daily duties. We spent the next few months peeling back the layers of security he had applied to the network, just to make the basic services function again so the users can work. This is one example of what happens when reasonable risk is not defined and accepted by the company, and security is defined solely by a security consultant.

 

References

Cybersecurity risk: What does a "reasonable" posture entail? Alliant Cybersecurity. (2019, October 18). Retrieved March 16, 2022, from https://www.alliantcybersecurity.com/cybersecurity-risk-what-does-a-reasonable-posture-entail-and-who-says-so/

Vuleta, B. (2022, January 17). 55+ scary but useful cybersecurity statistics in 2022. Find Best Law Jobs in the US in 2022. Retrieved March 16, 2022, from https://legaljobs.io/blog/cybersecurity-statistics/