The Center for Internet Security (CIS) has published its view on what "Reasonable Security" means, following a number of high-profile breaches in the US, but what exactly is reasonable cybersecurity?
There is no one-size-fits-all answer, as the specific steps a business needs to take will vary depending on its size, industry, and risk profile. However, there are some general principles that all businesses should follow.
What is "Reasonable Security"
Whether you are considering "Reasonable Security" as referred to in various statutes or regulations or considering proportional security in terms of commitment to your own stakeholders, a clear definition of what is meant by these terms would be useful.
The CIS has released its definition of what is meant by "Reasonable Security". This definition is useful not only to those within the US, but also to organisations globally, in being able to express their approach to proportional security for their organisation.
Fundamentally, when considering how best to address cyber security, organisations need to consider their context:
Size and scale of the organisation
Number of employees (IT and non-IT Users)
Geographical locations
Supply Chain
Nature and scope of the activities of the organisation
What services are provided, and to whom
What type of information is created, collected, processed or transferred
Sensitivity of that information
Resources available to the organisation
Skilled resources in terms of cyber/IT Security, Data Protection, Resilience
Availability of tools to improve information security and reduce vulnerabilities
Budgets to acquire new tools, services or staff
Alignment to Security Frameworks
The CIS definition, whilst aligned to their own CIS Critical Security Controls, does stipulate that "Reasonable Security" can be achieved through alignment to many of the security frameworks out there. Whilst these frameworks can be quite complex, and detailed they all can be broken into the following common-sense components:
Know your environment
What assets (Hardware/Software) does your organisation manage or rely upon?
What data is created, collected, stored, processed, transferred?
Where are your high-value assets?
Account and configuration management
What access is required to those assets and data?
How is this access provisioned, managed and revoked?
How are privileged accounts protected?
Are all accounts protected through Multi-Factor Authentication?
Would you know if an account has been compromised and misused?
Security tools
What preventative tools have been implemented (EndPoint AV, Email filtering, Web browsing controls)
What monitoring is in place?
How are teams alerted to suspected security violations?
How do you validate your security tools and configurations are effective?
Data recovery
How is data backed up?
Is it separated from your environment, to protected it in case of a breach?
Have restoration activities been tested?
Security awareness
How do you train your staff in understanding the threats they face day-to-day and within the organisation?
How do you validate that understanding, such as through phishing simulations?
How do you influence their security behaviours, on top of training and simulations?
Business processes and outsourcing
Do you perform Due Diligence on suppliers to ensure they maintain security best practices for the services they provide to you?
How do you validate the effectiveness of providers you outsource business processes to?
Do you include those suppliers in your incident response and business continuity plans?
Conclusion
The industry has long spoken of security hygiene, best practice and reasonable security.
The importance of implementing these cyber security fundamentals is backed up through studies such as the Verizon Data Breach Investigations Report and the Institute for Security and Technology’s Blueprint for Ransomware Defense: An Action Plan for Ransomware Mitigation, Response, and Recovery.
The key benefit, for those bound by the term of "Reasonable Security" is having a definition against which they can evaluate their own posture and identify areas for improvement, and ultimately defence, should they suffer a successful cyber attack.
Get in touch today if you wish to discuss how to assess your security posture, and identify areas for improvement to meet the defintion of "Reasonable Security" or to achieve security proporational to your business context.
Comments