Shawn Tuma, partner and co-chair of the data privacy and cybersecurity practice group at Spencer Fane LLP, shares some tips on cybersecurity for companies to follow.
Cybersecurity is a legal issue, Tuma said during his keynote address at last week's Midsize Enterprise Summit IT Security 2024 in Indianapolis, hosted by MES Computing parent The Channel Company.
Tuma, an attorney specialising in cybersecurity law, leads companies in cybersecurity incident responses and investigations and guides them in risk management. He tapped into his expertise during the keynote speech, discussing topics ranging from how organisations should respond to ransomware demands to choosing cyber insurance.
Some highlights from Tuma's keynote:
Change your mindset about cybersecurity
Cybersecurity is a war, Tuma said.
"We are at war against an adversary – a human adversary or group of them," he added. It's an ongoing battle as threat actors "adapt and evolve their tools, their tactics, their procedures and they find another way to attack."
While there is no fixing cybersecurity, IT leaders should adopt the mindset of "how do we engage in this battle?"
'Data is the hot potato'
Tuma advised organisations operating in the USA to be aware of all regulations surrounding consumer data privacy – at the state and federal levels.
"Our 50 states have privacy laws ... 14 states now have comprehensive privacy laws that are absolutely security-driven in nature," he said. Those laws are focused on protecting data, so businesses must focus on the security needed to protect data.
"Data is the hot potato," Tuma added. Regulators "don't care about your company. They don't care about the security of your network. They care about the data you have, more importantly, the personal data you have … that's where you need to focus when you are building out your layer of defences," he added.
Be involved in the cyber insurance selection process
Cyber insurance is a contract, Tuma said. "Every policy from different carriers is different." It's "absolutely foolish" for IT decision-makers not to be intimately engaged in the process of selecting cyber insurance. Don't just leave it to the company's legal team, he advised, because "they don't know the difference between an event, an incident, a breach … they don't know the difference between an exfiltration of data and an access to data."
Cybersecurity is a team effort
"Who is on your team," in your cybersecurity strategy, Tuma asked? He said the team should not just be IT, but should involve legal, corporate communications, HR and public relations.
Establish a relationship with local law enforcement
Tuma advised knowing how to reach someone in your local FBI or Secret Service office in case of a security incident like ransomware or a business email compromise or any incident that involves wiring funds. "If you can notify them quickly, certainly within 72 hours," you have a better opportunity to recover funds lost in a security event. He also advised to get a report filed with IC3.gov – the FBI's Internet Crime Complaint Centre.
"Having these relationships when you need them is critical," he said.
Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us in London at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.
