Grappling With What Reasonable Cybersecurity Means

It’s been clear for years that CRE firms are frequently targets of cybercriminals. There’s no way to avoid the possibility of being targeted, so each company needs to protect itself.

But what does self-protection really mean/? How much will it cost? How many experts are needed? When does it stop?

One reason for all the questions, as Arizona State Associate Research Professor Christos Makridis, University of Arizona Associate Professor Anne Boustead, and Indiana University Provost Professor Scott Shackelford addressed in a recent Brookings Institution research report, is the difficulty of knowing what the impact of an attack is. “Estimates vary markedly in part because most studies either take a survey-based approach where respondents are asked the cost of a data breach—which produces highly variable and often questionable numbers—or a stock market-based approach where returns are compared before and after a data breach—which also delivers unreliable estimates since the market often does not know how to react,” they wrote.

Additionally, many of the studies are done on very large companies. The effects can’t be directly scaled down for use with much smaller companies, which would include most CRE firms.

What would be “reasonable” protection is confusing from the views of business and law. Practices can vary by size of the organization, the degree to which they are governed by regulatory frameworks like in finance or healthcare, and the degree to which organizations are part of critical infrastructure.

However, the researchers note that there are principles called the Essential Eight, which includes “four mandatory strategies to mitigate targeted cyber intrusions and four additional strategies to further protect data and systems.” These are:

Application whitelisting: Only allow applications to run on systems and prevent unapproved software, including malicious programs, from executing.

Patch applications: Regularly update software applications as soon as manufacturers release so-called patches, which often incorporate improvements to repair known security vulnerabilities.

Disable untrusted macros: Macros can be used to automate tasks in Office documents, but they can also be used maliciously. Disabling macros, such as from Office files received from the Internet, can help to prevent these threats.

User application hardening: Disable unneeded features in applications to reduce vulnerability to attacks.

Restrict administrative privileges: Limit top administrative privileges on systems to necessary users and applications to reduce entryways for malicious activity to have high-level access to systems.

Patch operating systems: Like patching applications, as soon as possible apply patches from operating system vendors.

Multi-factor authentication: Require users to have multiple forms of identification to reduce the potentials of unauthorized access.

Daily backups: Regularly backing up important data and ensuring it can be restored is crucial. This provides a safety net in case of a serious security incident.

These aren’t enough by themselves. A company will still need “proactive cybersecurity measures” and “essentials such as creating and updating incident response plans.” But the combination should create a necessary floor of protection.

Small to medium enterprises “are particularly vulnerable and often struggle to understand and implement effective cybersecurity measures,” they wrote. “By providing clear guidance, offering support, and incentivizing the adoption of strong cybersecurity practices, we can start to close the cybersecurity gap that currently exists.”