Security consultant Halock addresses the issue of how to achieve reasonable cyber security in this age of increased risk. The post is at https://www.halock.com/achieving-reasonable-security-in-the-age-or-risk.
The digital world is inherently risky. Every email attachment, every network connection has a potential for a cyber attack. Since 2020 the challenges have increased. IT innovations have outpaced security. Remote work has less security and more distraction. Ransomware statistics are sometimes contradictory, but attacks and payments rose by well over 100% in 2020. While there were less data breaches, more records were compromised.
Industries and governments have cybersecurity compliance standards. However, compliance is no guarantee against a breach. Approximately one in 3,000 emails with malware will get through.
There is a shortage of cybersecurity professionals - 3.5 million vacancies as of this year. According to MIT, less than one of four applicants are qualified. The problem is getting worse.
Faced with these problems, 38% of cybersecurity workers report burnout - up 12% from 2020 - and 59% don't believe their organizations are doing enough to help. At the top, the average Chief Information Security Officer only stays two to four years in position. 88% of CISOs report at least moderate stress, and 48% say their mental health suffers.
To meet these threats, companies have a duty of "reasonable security". This has been defined by the Sedona Conference as safeguards that do not pose a higher risk to the organization than lack of them poses to others. To test this definition against legal standards, an organization is negligent if its burden of security is less than the net impact to victims of a cybersecurity incident. States have also defined "reasonable" security in their laws, so organizations must get legal advice to be sure they comply. Protections should be appropriate to the data at risk.
There is a Duty of Care Risk Analysis Standard to address legal issues:
- Organizations used controls to ensure risk was reasonable and appropriate.
- Balance security, compliance and responsibility considering all interested parties.
- Determine proper balance between safeguards and risk of harm.
To apply these principles companies must do a risk assessment including
- Inventory of company assets.
- Outline their management.
- Identify key risk identifiers.
- Assess impact of known vulnerabilities and potential threats.
- Determine likelihood of an event.
- Calculate risk severity and prioritize a course of action.
- Compile findings and recommendations for management approval.