What is reasonable security?

Reasonable security (or similar wording) is used in many US state’s or other region’s laws’ as an all encompassing way to describe the way small businesses cyber security must be. Sometimes it has very little details except for “reasonable security.” Sometimes it has good detail. Your area might require you to follow these laws and you might not have ever known it.

Now while ‘reasonable security’ may be a bit ambiguous, some of the more thorough laws often refer to protecting personal identifiable information, applying security controls to protect that information, and having a person designated to handle applying those security controls. Other laws refer to abide by one of the many cyber security standards that exist.

One of these common cyber security guidelines we attempt to cover is called the CIS top 20. Here are the names of each category and where we attempt to cover in our system (we adjusted for very small business sizes):

  1. Inventory and Control of Hardware Assets
    • Addressed with Inventory Sheets
  2. Inventory and Control of Software Assets
    • Addressed with Inventory Sheets
  3. Continuous Vulnerability Management
    • Addressed in Risk Assessments
  4. Controlled Use of Administrative Privileges
    • Addressed in Risk Assessments
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
    • Addressed in Risk Assessments
  6. Maintenance, Monitoring and Analysis of Computer/Device Audit Logs
    • We don’t cover much due to advanced subject and not usually suitable to lay-person, more ideal for larger networks; You could use a service like loggly though.
  7. Email and Web Browser Protections
    • Addressed in Risk Assessments and Security Awareness Course
  8. Malware Defenses
    • Addressed in Risk Assessments
  9. Limitation and Control of Network Ports, Protocols and Services
    • Limited coverage in Risk Assessments
      • (advanced and not suitable to lay-person, host and network based firewalls cover some of this)
  10. Data Recovery Capabilities
    • Addressed in Risk Assessments
  11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
    • Addressed in Risk Assessments
  12. Boundary Defense
    • Some addressed in Risk Assessments
  13. Data Protection
    • Addressed in Risk Assessments
  14. Controlled Access Based on the Need to Know
    • Some addressed in Risk Assessments
  15. Wireless Access Control
    • Addressed in Risk Assessments
  16. Account Monitoring and Control
    • Some addressed in Risk Assessments
  17. Implement a Security Awareness and Training Program
    • Addressed in Risk Assessments
  18. Application Software Security
    • Addressed in Risk Assessments and Security Awareness Course
  19. Incident Response and Management
    • Addressed in Cyber Incident Response Plan
  20. Penetration Tests and Red Team Exercises
    • Addressed in Risk Assessments

How much should I be budgeting to cyber security?

We recommend you spend at least 3-4% of your IT budget on cyber security. And for an IT budget, we recommend around 7% of your business revenue to purchase new or to maintain your technology and software licenses.

For example, if your revenue is $100,000 a year, $7,000 of that would go to IT equipment, software, maintenance, licenses, etc. Then at least $3,000 of that 7 grand should go to securing your business.

Should I be keeping documentation?

While you are going through the risk assessments and security awareness course, some laws require you to keep documentation pertaining to how you are securing your business in one place. This can be in a folder on your computer where you, at a later time, can print out all the information when you need to pull it up for legal inquiries.

This does not mean reveal all your security ‘secrets’ on this documentation- which would be a great treasure for cyber criminals to steal. These documents are really to show some proof that your small business does use some kind of cyber security controls to protect consumers. This documentation is to stay private and protected (ideally encrypted) until you absolutely need to show it show progress in your business’s cyber security (to company executives, etc.) or for presenting in legal inquiries into your practices.

The following are some things to provide for your physical binder or computer folder:

  1. Yearly Security Awareness Certificates or list of personnel who have completed some kind of security awareness training
  2. Yearly Risk assessment results
  3. Tracking securing activities
    • The yearly risk assessment downloaded after taking them lists the controls you completed.
  4. Policies
    • Generate these documents here.
  5. Cyber Incident Response Plan
    • Generate this document here.

So what happens if I don’t meet these “Reasonable Security” laws?

Please note, we’re not lawyers here, but we’d guess probably litigation, court orders, or other legal ramifications. Basically these laws were theoretically created to protect consumers. If you get consumers money and data stolen due to lax or non-existent cyber security practices, you get punished.

How much is this punishment? There could be cash settlements involved; If a successful cyber attack on your business were to happen, besides the cost of finding out how extensive the damage is, your reputation would likely fall tremendously after you’re required to report this to your current customers. In some cases, you may have to pay for monitoring services for all your customers affected to protect them from ID theft issues.

Take cyber security seriously!