A cyber-focused attorney on why 'Data is the hot potato'

clock • 3 min read
A cyber-focused attorney on why 'Data is the hot potato'

Shawn Tuma, partner and co-chair of the data privacy and cybersecurity practice group at Spencer Fane LLP, shares some tips on cybersecurity for companies to follow.

Cybersecurity is a legal issue, Tuma said during his keynote address at last week's Midsize Enterprise Summit IT Security 2024 in Indianapolis, hosted by MES Computing parent The Channel Company.

Tuma, an attorney specialising in cybersecurity law, leads companies in cybersecurity incident responses and investigations and guides them in risk management. He tapped into his expertise during the keynote speech, discussing topics ranging from how organisations should respond to ransomware demands to choosing cyber insurance.

Some highlights from Tuma's keynote:

Change your mindset about cybersecurity

Cybersecurity is a war, Tuma said.

"We are at war against an adversary – a human adversary or group of them," he added. It's an ongoing battle as threat actors "adapt and evolve their tools, their tactics, their procedures and they find another way to attack."

While there is no fixing cybersecurity, IT leaders should adopt the mindset of "how do we engage in this battle?"

'Data is the hot potato'

Tuma advised organisations operating in the USA to be aware of all regulations surrounding consumer data privacy – at the state and federal levels.

"Our 50 states have privacy laws ... 14 states now have comprehensive privacy laws that are absolutely security-driven in nature," he said. Those laws are focused on protecting data, so businesses must focus on the security needed to protect data.

"Data is the hot potato," Tuma added. Regulators "don't care about your company. They don't care about the security of your network. They care about the data you have, more importantly, the personal data you have … that's where you need to focus when you are building out your layer of defences," he added.

Be involved in the cyber insurance selection process

Cyber insurance is a contract, Tuma said. "Every policy from different carriers is different." It's "absolutely foolish" for IT decision-makers not to be intimately engaged in the process of selecting cyber insurance. Don't just leave it to the company's legal team, he advised, because "they don't know the difference between an event, an incident, a breach … they don't know the difference between an exfiltration of data and an access to data."

Cybersecurity is a team effort

"Who is on your team," in your cybersecurity strategy, Tuma asked? He said the team should not just be IT, but should involve legal, corporate communications, HR and public relations.

Establish a relationship with local law enforcement

Tuma advised knowing how to reach someone in your local FBI or Secret Service office in case of a security incident like ransomware or a business email compromise or any incident that involves wiring funds. "If you can notify them quickly, certainly within 72 hours," you have a better opportunity to recover funds lost in a security event. He also advised to get a report filed with IC3.gov – the FBI's Internet Crime Complaint Centre.

"Having these relationships when you need them is critical," he said.

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us in London at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.

You may also like
Interview: Sharp UK, Security Excellence Awards finalist

Security

'We make technology easy by listening, taking the time to understand our clients, and creating seamless solutions that work'

clock 12 April 2024 • 4 min read
Fortinet addresses critical vulnerability in FortiClientLinux

Threats and Risks

FortiOS, FortiProxy, FortiClientMac and FortiSandbox also patched

clock 12 April 2024 • 3 min read
ICO breaks silence on Bank of America fraud case

Legislation and Regulation

Data regulator has maintained a 'no comment' policy for months

clock 11 April 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Interview: Sharp UK, Security Excellence Awards finalist

Interview: Sharp UK, Security Excellence Awards finalist

'We make technology easy by listening, taking the time to understand our clients, and creating seamless solutions that work'

Computing Staff
clock 12 April 2024 • 4 min read
Interview: LRQA Nettitude, Security Excellence Awards finalist

Interview: LRQA Nettitude, Security Excellence Awards finalist

'We are the only cybersecurity team in the world with a full suite of CREST accreditations'

Computing Staff
clock 11 April 2024 • 4 min read
Interview: Nationwide Building Society, Security Excellence Awards finalist

Interview: Nationwide Building Society, Security Excellence Awards finalist

'Working hard on cyber and wider operational resilience means that whatever happens we can be increasingly confident of being there for our customers when they need us'

Computing Staff
clock 10 April 2024 • 3 min read