How Much Cybersecurity Does My Business Need?

Shawn Tuma, a data privacy and cybersecurity attorney at Spencer Fane in Plano, Texas, says it’s a constant battle with business owners to figure out just how many security measures they need.

“We get a litany of directives that say you must protect your data and networks, but we don’t always get clear guidance on exactly what that means,” he says. “So, clients struggle to figure out what is the appropriate amount of security for their company.”

Unfortunately, more than 80 percent of Tuma’s work involves responding to data breaches (cyberattacks) and then managing responses to said incidents. Though he’d like the mid-size companies he works with to be more proactive than reactionary, he recognizes that most assume a breach (cybercrime) won’t happen, that the odds are in their favor.

When a breach does happen and after the crisis has been contained and the situation is under control, there is a short window during which businesses are most receptive to taking proactive steps to help keep it from happening again. During it, Tuma and his team encourage clients to enact a meaningful cybersecurity risk management program, which is broken down into phases. “The first phase is a risk assessment, so that we have an understanding of what their unique risks are as a company,” he says. They work with the company to assess cyber threat risks—including bringing in their vendors—and perform scanning of the environment and penetration testing.

“Then we will move to a strategic planning phase, where we analyze the information from the assessment and prioritize the steps that need to be taken. Those are then broken up into phases for execution.” Then they begin executing the plan by “implementing certain kinds of training, bringing in vendors to provide security services, technological solutions, and also bringing in cyber insurance, which is a must for any company.”

To illustrate, Tuma gives an example using a retail company that sells gadgets. In the assessment phase, a cybersecurity company would test the network, figuring out how the hackers (cybercriminals) got into the system. “Would they get to their point of sale terminals and be able to steal credit card or payment data? Would they be able to steal your mailing list or rewards program information?,” Tuma asks.

The attorneys would then bring in a vendor, to see, for example, if the businesses is retaining sufficient backups of their sensitive information, if they can recover inventory, or if they could continue operations if their third party vendors have been disrupted. During the execution phase, the company would implement the recommendations to correct any deficiencies (vulnerabilities) that are found. Then, if the business doesn’t already have it, the attorneys will make sure they are set up with the appropriate cyber insurance coverage to protect them from cybersecurity threats.

“In evaluating their legal and regulatory compliance, we would look at the jurisdictions they’re doing business in,” says Tuma. “If it’s all over the U.S., they’re now faced with complying with the privacy laws of all 50 states. So we need to know what kind of data they’re gathering, and how it’s being stored and protected.” If the company is operating in or doing business with California, they will further need to be aware of—and potentially compliant with—the new California Consumer Privacy Act.

Tuma notes that some clients break up the strategic plans into phases for execution, such as quarterly chunks, instead of one annual massive to-do list. “You’re taking this elephant and you’re eating it bite by bite—whatever is manageable for the company, and whatever the requirements of their industry may be,” he says. “The key is: Once you get past that certain phase of implementing your most obvious steps, you need to reassess your risk.”

For example: “First quarter we may want to do more thorough penetration testing, implement multi-factor authentication throughout the network, make sure all portable devices are encrypted, and implement email phishing training for the workforce,” Tuma says. “Then the next quarter we’ll do something more sophisticated. Maybe, in the third quarter, we work on developing incident response plan and training and testing of that through tabletop exercises.”

The major point, for Tuma, is that businesses should be reaching out to an experienced attorney—preferably before a data breach—in order to figure out just how much and what kinds of cybersecurity strategies they need. “The more we know and understand the business, their operations, their risk tolerances, the better we’re able to help advise them and guide them through the process,” he says. “That’s the message I keep trying to get out to everybody: Reasonable cybersecurity is not a definition, it’s a process of assessing your risk continuously and implementing appropriate safeguards to mitigate that risk. This is not an easy checklist game—it’s an ongoing process of execution, and then reassessing and prioritizing and execution.”