• United States




Information security ignorance is not a defense

Aug 11, 20166 mins
CyberattacksNetwork SecuritySecurity

lawsuit judge law court decision sued
Credit: Thinkstock

Despite increasing awareness about the importance of information security, underscored by the fear of ransomware attacks, I continue to find that most of the small and medium business (SMB) world is unprepared for an attack. It may be a bit unfair to single them out, since so many enterprises have similar issues, but the SMB folks are subject to increasing attacks for which they are not ready.

I guess it is basic human nature not to be worried about something when you have never experienced it firsthand. Compounding this, most SMBs feel like they can fly below the radar of the regulators, who are usually focused on larger, more visible targets.

There is an increasing threat to businesses of all size, however — angry customers. This should not be a surprise to anyone. After all, businesses often hold key information belonging to customers, and provide services critical to them. If information is stolen, or services interrupted, a business will have a customer that is at least angry, and quite possibly litigious.

Whether the angry customer just finds a new provider, or sues, the business loses. So rapid is the growth in litigation that, according to Lawyer’s Weekly, cybersecurity is slated to become a standalone practice area for attorneys.

It does not take much of a security lapse to generate an angry customer. A recent case in point for me involved an old friend, for whose business I had done some free work.

I knew there had been a security compromise when I got an email invitation from him, inviting me to share a Dropbox folder. I spotted the message immediately as a phishing attack, but before I could let him know, his office called, needing guidance, because someone had obtained my friend’s gmail password and was using it to send phishing messages. I helped him to regain control of his email, and to take other appropriate precautions, including adding two-factor authentication, and changing the password on any system where it matched his gmail account.

This week, the office called again, reporting that they had received an identical phishing message from one of their customers, and they were afraid they had somehow been responsible for the customer’s compromise. After some quick research, I confirmed their suspicion. To sign up for the “shared Dropbox folder,” the recipient was required to supply their email credentials, which were then used to send even more phishing messages.

Even an incident as simple as this example can cause a loss of customer confidence. If the customer’s loss of intellectual property, operating revenue and prestige is significant enough, the matter can easily end up in court.

Government entities, regulators, and the courts are increasingly applying the “reasonableness” test to determine if an organization was responsible for a breach, or other security lapse. First, courts in California applied this standard, followed closely by the FTC.

Unfortunately, “reasonableness,” as it relates to information security practice, is nowhere defined specifically. Even so, this standard will likely be applied by many courts in the growing number of security-related lawsuits.  

It is clear that businesses of all sizes must ensure that they have done everything practical to protect their customer assets, and to prevent any harm to those customers due to their neglence. Given the rise in litigation, however, they must also be able to demonstrate in court that their precautions were “reasonable.”

So, what do you need to do to protect your customers, and yourself? While my understanding of reasonable is probably no more specific than others, I will suggest some areas of focus. This is not by any means an exhaustive list, but rather a good starting point. For a more comprehensive look at this topic, I recommend “The Reasonable Information Security Program” by the Richmond Journal of Law & Technology:

Basic security

There are basic security precautions that businesses of all sizes should have in place:

  • Firewall — I prefer Dell Sonicwall, but there are many options, including Fortinet and Barracuda
  • Anti-Virus — Given the rise in malware variants, the value of anti-virus software has clearly been diminished. That being said, you will not pass the “reasonableness” test without it. This market changes rapidly, but I recommend Webroot and Bitdefender, for the moment
  • Patch management — Not only for Windows, but all third-party software as well


You need to know in advance what you will do if you experience a suspected security incident that might impact your customers, whether you have two employees, or 20,000. Write your plan down, test it, and tell your customers about it.

Log consolidation

I have discussed log consolidation in many prior articles, and it warrants the attention. Proper log handling and retention is especially critical in supporting any investigations that might be necessary in responding to legal or regulatory action. Products to help with this range from Splunk and Graylog on the high end, to the more approachable, web-based products like Loggy and Papertrail. As part of this effort, make sure you have the clocks on all of your systems synchronized, to allow events from multiple systems to be correlated.

Outside help

You will probably need outside assistance, including forensics specialists, in responding to a significant security event. Identify vendors that you would use in advance, and make contact with them before you need them. Since recent legal precedent protects security testing and investigation results from discovery when commissioned by an attorney, you may want to consult with corporate counsel before engaging any outside providers.

Managed security

There are many vendors that will manage various aspects of your information security for you, including workstation vulnerability management, patching, and anti-virus monitoring. Engaging a provider with demonstrated security expertise can go a long way in helping to establish the “reasonableness” of your security program.

Bottom line — it seems a bit unfair that businesses which have not had to worry about security matters over many years of their existence now have to change their way of operating, but life is seldom fair. The customers you save, and the lawsuits you avoid, may mean the difference between life and death for your business.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author