How Much Cybersecurity Does My Business Need?

Protecting sensitive data is an ongoing process for mid-size and small businesses

By Andrew Brandt | Reviewed by Canaan Suitt, J.D. | Last updated on August 22, 2023 Featuring practical insights from contributing attorney Shawn E. Tuma

Use these links to jump to different sections:

Shawn Tuma, a data privacy and cybersecurity attorney at Spencer Fane in Plano, Texas, says it’s a constant battle with business owners to figure out just how many security measures they need.

“We get a litany of directives that say you must protect your data and operating systems, but we don’t always get clear guidance on exactly what that means,” he says. “So, clients struggle to figure out what is the appropriate amount of security for their company.”

Unfortunately, more than 80 percent of Tuma’s work involves responding to data breaches (cyberattacks) and then managing responses to those incidents.

Though he’d like the mid-size companies he works with to be more proactive than reactionary, he recognizes that most assume a breach (cybercrime) won’t happen and that the odds are in their favor.

When a Cyber Attack Happens, What Next?

When a breach does happen—and after the crisis has been contained and the situation is under control—there is a short window during which businesses are most receptive to taking proactive steps to help keep it from happening again.

During it, Tuma and his team encourage clients to enact a meaningful cybersecurity risk management program, which is broken down into phases.

Step 1: Risk Assessment

“The first phase is a risk assessment so that we have an understanding of what their unique risks are as a company,” he says. They work with the company to assess cyber threat risks—including bringing in their vendors—and perform scanning of the environment and penetration testing.

Step 2: Strategic Planning

“Then we will move to a strategic planning phase, where we analyze the information from the assessment and prioritize the steps that need to be taken. Those are then broken up into phases for execution.”

Step 3: Implementation

Then they begin executing the plan by “implementing certain kinds of training, bringing in vendors to provide security services, technological solutions, and also bringing in cyber insurance, which is a must for any company.”

Reasonable cybersecurity is not a definition; it’s a process of assessing your risk continuously and implementing appropriate safeguards to mitigate that risk. This is not an easy checklist game—it’s an ongoing process of execution, and then reassessing and prioritizing and execution.

Shawn E. Tuma

How Do You Put a Cyber Threat Management Program Into Effect?

To illustrate, Tuma gives an example using a retail company that sells gadgets. In the assessment phase, a cybersecurity company would test the network, figuring out how the hackers (cyber criminals) got into the system.

“Would a hacker be able to get to their point of sale terminals and be able to steal credit card or payment data? Would they be able to steal your mailing list or rewards program information?”

The attorneys would then bring in a vendor to see:

  • If the business is retaining sufficient backups of its sensitive information;
  • If they can recover inventory; or
  • If they could continue operations if their third-party vendors have been disrupted.

During the execution phase, the company would implement the recommendations to correct any vulnerabilities that are found. Then, if the business doesn’t already have it, the attorneys will make sure they are set up with the appropriate cyber insurance coverage to protect them from cybersecurity threats.

How Do You Ensure Legal and Regulatory Compliance?

“In evaluating their legal and regulatory compliance, we would look at the jurisdictions they’re doing business in,” says Tuma. “If it’s all over the U.S., they’re now faced with complying with the privacy laws of all 50 states. So we need to know what kind of data they’re gathering and how it’s being stored and protected.”

If the company is operating in or doing business with California, it will further need to be aware of—and potentially compliant with—the new California Consumer Privacy Act.

How Do You Make Your Strategic Plan Attainable?

Tuma notes that some clients break up the strategic plans into phases for execution, such as quarterly chunks, instead of one annual massive to-do list.

“You’re taking this elephant, and you’re eating it bite by bite—whatever is manageable for the company and whatever the requirements of their industry may be,” he says. “The key is: Once you get past that certain phase of implementing your most obvious steps, you need to reassess your risk.”

For example: “First quarter, we may want to do more thorough penetration testing, implement multi-factor authentication throughout the network, make sure all endpoint portable devices are encrypted, and train employees on email phishing attacks,” Tuma says.

“Then, the next quarter, we’ll do something more sophisticated. Maybe, in the third quarter, we work on developing an incident response plan and training and testing of that through tabletop exercises.”

When Should I Reach Out to a Lawyer?

The major point, for Tuma, is that businesses should be reaching out to an experienced attorney—preferably before a security breach—in order to figure out just how much and what kinds of cybersecurity strategies they need.

“The more we know and understand the business, their operations, their risk tolerances, the better we’re able to help advise them and guide them through the process,” he says.

“That’s the message I keep trying to get out to everybody: Reasonable cybersecurity is not a definition; it’s a process of assessing your risk continuously and implementing appropriate safeguards to mitigate that risk. This is not an easy checklist game—it’s an ongoing process of execution, and then reassessing and prioritizing and execution.”

To begin your search for an experienced attorney, see Super Lawyers’ directory of technology transaction and data privacy lawyers. To learn more about this area of law, read our overview of technology transactions and related content on data privacy, cybersecurity, and ransomware attacks.

What do I do next?

Enter your location below to get connected with a qualified attorney today.

State Technology Transactions articles

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you