Shawn Tuma, partner and co-chair, Data Privacy & Cybersecurity Practice Group, Spencer Fane LLP
Cybersecurity is a legal issue, said Shawn Tuma, partner and co-chair, Data Privacy & Cybersecurity Practice Group, Spencer Fane LLP. Tuma, an attorney specializing in cybersecurity law, tapped into his expertise in topics ranging from how organizations should respond to ransomware demands to choosing cyber insurance, during his keynote address at this week's Midsize Enterprise Summit IT Security 2024, hosted by MES Computing parent The Channel Company. Tuma leads companies in cybersecurity incident responses and investigations and guides them in risk management.
Some highlights from Tuma's keynote:
Change Your Mindset About Cybersecurity
Cybersecurity is a "war," Tuma said. "We are at war against an adversary – a human adversary or group of them," he added. It's an ongoing battle as threat actors "adapt and evolve their tools, their tactics, their procedures and they find another way to attack."
Tuma said while there is no fixing cybersecurity, IT leaders should adopt the mindset of "how do we engage in this battle?"
'Data Is The Hot Potato'
Tuma advised organizations to be aware of all regulations surrounding consumer data privacy – at the state and federal levels.
"Our 50 states have privacy laws ... 14 states now have comprehensive privacy laws that are absolutely security-driven in nature," he said. Those laws, he said, are focused on protecting data and businesses must focus on the security needed to protect data.
"Data is the hot potato," Tuma said. Regulators, "don't care about your company. They don't care about the security of your network. They care about the data you have, more importantly, the personal data you have … that's where you need to focus when you are building out your layer of defenses," he added.
Be Involved In The Cyber Insurance Selection Process
Cyber insurance is a contract, Tuma said. "Every policy from different carriers is different," he said. It's "absolutely foolish" for IT decision-makers not to be intimately engaged in the process of selecting cyber insurance. Do not just leave it to the company's legal team, he advised, because "they don't know the difference between an event, an incident, a breach … they don't know the difference between an exfiltration of data and an access to data."
Cybersecurity Is A Team Effort
"Who is on your team," in your cybersecurity strategy, Tuma asked. He said that the team should not just be IT, but should involve legal, corporate communications, HR and public relations.
Establish A Relationship With Local Law Enforcement
Tuma advised knowing how to reach someone in your local FBI or Secret Service office in case of a security incident like ransomware or a business email compromise or any incident that involves wiring funds. "If you can notify them quickly, certainly within 72 hours" you have a better opportunity to recover funds lost in a security event. He also advised to get a report filed with IC3.gov – the FBI's Internet Crime Complaint Center.
"Having these relationships when you need them is critical," Tuma said.
