Triggered by prevalent data breaches and a surge in state data privacy legislation, public dialogue now includes mentions of reasonableness alongside cybersecurity. However, there isn’t a universally accepted definition of what constitutes reasonable cybersecurity.
Curtis Dukes
Executive Vice President and General Manager, Security Best Practices, Center for Internet Security
In its simplest form, reasonable cybersecurity refers to a level of security measures that are adequate and appropriate to protect data from potential risks and vulnerabilities. Think of it as an effective lock on your house door that keeps you safe from burglars.
Here’s where it gets complicated: The term “reasonable” is subjective — there’s no one-size-fits-all solution or standard template to define what constitutes reasonableness due to different types of data, varied regulatory requirements, and unique organizational needs. Many factors influence what reasonable cybersecurity looks like for each company, including the type and amount of personal data an organization holds, the nature of its operations, its size and available resources, levels of risk exposure, and even industry practices.
Achieving reasonable cybersecurity isn’t straightforward, either. It’s not always about employing expensive high-tech solutions. It can be as simple as keeping your computer systems updated with the latest patches or using multi-factor authentication. The idea is to implement effective measures, commensurate with potential risk levels, based on available resources.
Reasonableness does not require perfection
It’s also important to understand that no system can be completely immune to cyber threats; new vulnerabilities surface every day. Reasonable cybersecurity measures aim to reduce vulnerabilities by maintaining robust safety practices.
Underpinning the concept of reasonableness in cybersecurity are various legal facets as well. Various jurisdictions mandate “reasonable” precautions against foreseeable threats, and failure to adhere to these requirements may result in legal liabilities following a data breach. By adhering to reasonable measures, organizations can ensure they meet their regulatory liabilities and avoid heavy penalties, damage to brand reputation, and significant financial losses.
Reasonableness can be tailored to organizational needs
The foundation of reasonable cybersecurity lies in identifying potential risks and applying appropriate mitigation strategies. Specificity must guide this process; organizations should tailor solutions based on their unique needs and vulnerabilities rather than implementing generic security protocols.
Conducting a thorough risk assessment is one such practice integral to achieving reasonable cybersecurity. Organizations must regularly evaluate their existing security measures for any potential weaknesses or areas of improvement — like a regular health checkup but for their systems’ security. The process starts with identifying all forms of data held by your organization and acknowledging their value carefully. For example, information like personal customer records or business financials should, without a doubt, be considered valuable assets.
The next step involves assessing potential threats and vulnerabilities that could compromise this data’s security. Armed with this knowledge, organizations can then implement appropriate measures to mitigate these identified risks.
It’s worth noting that achieving reasonable security is a continuous journey and not a one-time task. Threats evolve at a fast pace, and so must our defensive measures. Training your workforce about safe online behavior is also crucial. Many cyber breaches originate from unsuspecting employees who become victims of sophisticated social engineering attacks.
Lastly, it’s equally pivotal to have an effective incident response plan in place as part of adopting reasonable security practices. This includes having procedures to detect possible breaches promptly, assess the impact, contain the problem, recover from it, and learn from the experience to avoid similar occurrences in the future.
Just as we wouldn’t neglect basic personal safety measures like locking our doors at night or wearing seat belts while driving, we cannot afford to disregard “reasonable cybersecurity” despite its current ambiguity. It is indeed our best line of defense against changing cyber threats.
