Information security ignorance is not a defense

lawsuit judge law court decision sued

Despite increasing awareness about the importance of information security, underscored by the fear of ransomware attacks, I continue to find that most of the small and medium business (SMB) world is unprepared for an attack. It may be a bit unfair to single them out, since so many enterprises have similar issues, but the SMB folks are subject to increasing attacks for which they are not ready.

I guess it is basic human nature not to be worried about something when you have never experienced it firsthand. Compounding this, most SMBs feel like they can fly below the radar of the regulators, who are usually focused on larger, more visible targets.

There is an increasing threat to businesses of all size, however -- angry customers. This should not be a surprise to anyone. After all, businesses often hold key information belonging to customers, and provide services critical to them. If information is stolen, or services interrupted, a business will have a customer that is at least angry, and quite possibly litigious.

Whether the angry customer just finds a new provider, or sues, the business loses. So rapid is the growth in litigation that, according to Lawyer's Weekly, cybersecurity is slated to become a standalone practice area for attorneys.

It does not take much of a security lapse to generate an angry customer. A recent case in point for me involved an old friend, for whose business I had done some free work.

I knew there had been a security compromise when I got an email invitation from him, inviting me to share a Dropbox folder. I spotted the message immediately as a phishing attack, but before I could let him know, his office called, needing guidance, because someone had obtained my friend's gmail password and was using it to send phishing messages. I helped him to regain control of his email, and to take other appropriate precautions, including adding two-factor authentication, and changing the password on any system where it matched his gmail account.

This week, the office called again, reporting that they had received an identical phishing message from one of their customers, and they were afraid they had somehow been responsible for the customer's compromise. After some quick research, I confirmed their suspicion. To sign up for the "shared Dropbox folder," the recipient was required to supply their email credentials, which were then used to send even more phishing messages.

Even an incident as simple as this example can cause a loss of customer confidence. If the customer's loss of intellectual property, operating revenue and prestige is significant enough, the matter can easily end up in court.

Government entities, regulators, and the courts are increasingly applying the "reasonableness" test to determine if an organization was responsible for a breach, or other security lapse. First, courts in California applied this standard, followed closely by the FTC.

Unfortunately, "reasonableness," as it relates to information security practice, is nowhere defined specifically. Even so, this standard will likely be applied by many courts in the growing number of security-related lawsuits.  

It is clear that businesses of all sizes must ensure that they have done everything practical to protect their customer assets, and to prevent any harm to those customers due to their neglence. Given the rise in litigation, however, they must also be able to demonstrate in court that their precautions were "reasonable."

So, what do you need to do to protect your customers, and yourself? While my understanding of reasonable is probably no more specific than others, I will suggest some areas of focus. This is not by any means an exhaustive list, but rather a good starting point. For a more comprehensive look at this topic, I recommend "The Reasonable Information Security Program" by the Richmond Journal of Law & Technology:

Basic security

There are basic security precautions that businesses of all sizes should have in place:

  • Firewall -- I prefer Dell Sonicwall, but there are many options, including Fortinet and Barracuda
  • Anti-Virus -- Given the rise in malware variants, the value of anti-virus software has clearly been diminished. That being said, you will not pass the "reasonableness" test without it. This market changes rapidly, but I recommend Webroot and Bitdefender, for the moment
  • Patch management -- Not only for Windows, but all third-party software as well


You need to know in advance what you will do if you experience a suspected security incident that might impact your customers, whether you have two employees, or 20,000. Write your plan down, test it, and tell your customers about it.

Log consolidation

I have discussed log consolidation in many prior articles, and it warrants the attention. Proper log handling and retention is especially critical in supporting any investigations that might be necessary in responding to legal or regulatory action. Products to help with this range from Splunk and Graylog on the high end, to the more approachable, web-based products like Loggy and Papertrail. As part of this effort, make sure you have the clocks on all of your systems synchronized, to allow events from multiple systems to be correlated.

Outside help

You will probably need outside assistance, including forensics specialists, in responding to a significant security event. Identify vendors that you would use in advance, and make contact with them before you need them. Since recent legal precedent protects security testing and investigation results from discovery when commissioned by an attorney, you may want to consult with corporate counsel before engaging any outside providers.

Managed security

There are many vendors that will manage various aspects of your information security for you, including workstation vulnerability management, patching, and anti-virus monitoring. Engaging a provider with demonstrated security expertise can go a long way in helping to establish the "reasonableness" of your security program.

Bottom line -- it seems a bit unfair that businesses which have not had to worry about security matters over many years of their existence now have to change their way of operating, but life is seldom fair. The customers you save, and the lawsuits you avoid, may mean the difference between life and death for your business.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)