Businesses today need to pay attention to cybersecurity. Public companies at least are required to have "reasonable" cybersecurity standards in place. The question is how to define what is reasonable.
Researchers Christos Makridis, Anne Beustead, and Scott Shackelford have a paper discussing this question on the Brookings website (https://www.brookings.edu/articles/navigating-the-cybersecurity-labyrinth-defining-reasonable-standards-for-businesses/). Spoiler alert - it's long.
Estimates of the costs of cyber attacks, both globally and average, vary widely. Most studies are based either on surveys or stock market returns, and both approaches are unreliable. Data breaches can have very different effects on an organization depending on the context, scale and media coverage of the breach.
To craft a "reasonable" cybersecurity standard requires a balance between specificity and flexibility. This varies between interpretation and context. There are differences between critical and non-critical infrastructure, and between large organizations and SMEs.
Size matters, with smaller organizations less likely to have cyber insurance or a designated cybersecurity person/team. They are also less likely to invest in employee training and awareness.
While there is no "one size fits all" solution, the authors conclude SMEs need more support. As an example of best practices, they cite the Australian Cyber Security Centre's "Essential Eight" strategies:
- Application whitelisting - only allowing approved applications.
- Regular patching of applications.
- Disable untrusted macros.
- Disable unneeded features in applications.
- Restrict administrative privileges.
- Patch operating systems ASAP.
- Multi-factor authentication.
- Daily backups of important data.
With the Biden administration supporting imposing liability for security breaches, businesses are encouraged to be proactive in addressing cybersecurity, Educational institutions aimed at SMEs are helpful. tax credits and safe harbor laws can also help. Policy makers, cybersecurity professionals and business leaders all have a responsibility to make us safer online.