Cyber Sessions: Meeting the ‘reasonable’ security standard

Updated at 10:53 a.m. on Oct. 25

(Editor’s note: This is the third installment of a monthly column on the growing number of cyberthreats facing businesses of all sizes and what they can do about it. You can read the first two installments here and here.)

To call the pace of change that business leaders face these days “rapid” is a disservice to businesses that are under unprecedented pressure. Based on a recent PricewaterhouseCoopers study, 77% of executives are struggling with hiring and retaining talent. And executives see no reprieve from inflation, and supply chain problems will continue into 2023. At the same time, 60% of executives have identified focus digital transformation as critical growth to remain agile and resilient.

With that amount of disruption, we still see executives are most concerned about cybersecurity, data and privacy regulations. The last thing that a business can afford is a data breach.

When it comes to cybersecurity incidents and data breaches, we see the headlines when big corporations are hit. But what we don’t see are the thousands of breaches that happen every year to smaller organizations. Did many notice incidents at Center for Sight Inc., A.A. Zamarro & Associates Inc. or Northeast Rehabilitation Hospital Network? These cybersecurity incidents alone affected tens of thousands of southern New Englanders and were major disruptions for those businesses. Last year alone, data breaches affected 294 million individuals.

- Advertisement -

As business leaders and their legal counsel attempt to navigate data privacy laws and regulatory mandates, regulatory bodies continue to enact new and refined privacy and data security requirements.

Across these statutes and directives is the increased use of terms such as reasonable, appropriate, acceptable and practical when it comes to the security measures businesses are expected to take. “Reasonable” is peppered throughout the Massachusetts privacy law and is a staple in the Rhode Island Identity Theft Protection Act.

So how do you appropriately define “reasonable” when it could be the deciding factor of your organization being fined or not or determining if your business is at risk of civil litigation and liable based on perceived negligence.

Luckily, standards and best practices are being shared by the cybersecurity industry and the federal government that help define those reasonable expectations. Here are some ways for Rhode Island businesses to begin to mature their cybersecurity programs and effectively manage the risk, ultimately helping them meet the “reasonableness “standard.

First and foremost, cybersecurity should be prioritized at the highest levels of leadership. Risk and business resilience should be a staple agenda item for leaders. Cybersecurity is a shared responsibility across the entirety of the business, embedded in a culture where every employee is engaged.

Modern cybersecurity programs must be based on industry standards, best practices and frameworks.  The National Institute of Standards and Technology Cybersecurity Framework is a gold standard that can help organizations build comprehensive and sustainable programs that focus on people, processes, technology, policies, supply chain risk and more. The success of a program is dependent on investing and adopting these best practices, instead of the shiny new tool that will claim to solve all cybersecurity woes.

Organizations need to have a written information security program – or a WISP – that outlines policies and guidelines to protect the confidentiality and security of personal information. It’s been a regulation for quite some time for all organizations that handle the personal information of any Massachusetts resident. A Rhode Island business was recently penalized $230,000 under a settlement reached with the Mass. Office of the Attorney General for lacking a WISP. No matter what type of personal or sensitive data, every business should have a well-documented program that outlines procedural, physical and technical safeguards for a customer’s private data.

Businesses must have continuous visibility into their cyber risk. Performing regular and formalized assessments is a core component of a company’s resilience. These continuous activities start by assessing the current risks, then helping businesses identify, prioritize and find ways to remediate those risks.

With the right culture, program, best practices and risk assessment practices, a business can realize the benefits of and take full advantage of modern technologies and cybersecurity innovation. Technologies alone, without these supporting strategies, will fail your business.

While some organizations and executives will continue to drag their feet and steer clear of cybersecurity conversations, the risks from cyberattacks grow exponentially daily. With pressures from privacy laws and regulatory oversight, the damages from disciplinary actions or lawsuits will become enormous.

Confronted with these massive amounts of potential cybersecurity liabilities, organizations that are proactive will mature. Those that aren’t will risk going out of business.

Next month: “You can still get burned through the clouds.” 

(ADDS final paragraph with next month’s topic.)

(Jason Albuquerque is chief operating officer of Pawtucket-based Envision Technology Advisors LLC. You can reach him through

Purchase NowWant to share this story? Click Here to purchase a link that allows anyone to read it on any device whether or not they are a subscriber.