Digital Journal Profiles Cybersecurity Expert Witness Joseph Steinberg And His Experience In Cyber-Liability Cases
Digital Journal today profiled cybersecurity expert Joseph Steinberg, and discussed Steinberg’s observations about cyber-liability after human errors lead to costly breaches.
The Digital Journal relates Steinberg’s opinions in this regard, as Steinberg has a remarkable track record of success as an expert witness when it comes to high-stakes cybersecurity-related civil and criminal litigation.
The Digital Journal piece points out that while Steinberg explains that security awareness training is a critical defense layer, such training does not serve as a complete legal shield for organizations when cyber-incidents occur as a result of human error (as so many breaches do). Many institutions mistakenly believe that they can avoid liability for a data breach by demonstrating that they trained the employee who fell victim to a scam. However, Steinberg notes, that, in his experience, which includes having served as an expert witness on many dozens of cases, arbitrators and courts often look beyond the “we trained them” defense, holding organizations liable if they failed to implement necessary technical safeguards to augment human-initiated defenses.
Steinberg also emphasizes that the mere existence of a training program is insufficient from a risk management perspective — and, today, courts recognize that such is the case; the effectiveness, relevance, and depth of training programs vary wildly, and those differences also factor into decisions when it comes to legal disputes. For a program to be considered to be appropriately suited for a particular environment, for example, it must be tailored (for example, to specific user roles), kept current (that is, frequently updated to reflect the current threat landscape), and tested through measurable outcomes (for example, through simulated phishing attacks and harmful links sent via email and text messages). Generic, annual “checkbox” training that lacks practical, real-world application can fail to meet the threshold of an adequate defense, especially if it ignores industry-specific and role-based risks.
Ultimately, the article notes that Steinberg argues that cybersecurity strategies must be built around the inevitability of human fallibility.
Because perfect user behavior is unachievable, Steinberg advocates for a “defense-in-depth” framework in which education is just one component alongside technical controls, monitoring, and incident response plans. Liability can hinge on whether an institution provided these layered protections to catch the human failures that are bound to occur, or to mitigate damage when such errors are not caught proactively.
It should be noted that Steinberg has been frequently quoted about the difference between training an employee and getting the employee to internalize various aspects of cybersecurity.
To read the rest of the Digital Journal article about both cybersecurity expert witness, Joseph Steinberg, and his approach to protecting against liability for human cyber-failures, please see the Digital Journal article: Can you be held liable for user errors? Cybersecurity expert Joseph Steinberg weighs in.
Joseph Steinberg is a cybersecurity expert witness and advisor, and a Lecturer on Cybersecurity at Columbia University in NYC. He has led businesses in the information-security industry for over two decades, and has written books ranging from the best-selling Cybersecurity for Dummies to the official study guide for a CISO certification exam. He is one of only a few dozen people worldwide to hold the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep; his information-security-related inventions are cited in well over 500 US patent filings.
CyberSecurity for Dummies is now available at special discounted pricing on Amazon. Give the gift of cybersecurity to a loved one.