For immediate assistance with a network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com  

I recently attended a panel in Nashville during the CLM conference to discuss reasonable security standards in cybersecurity. The discussion focused on a practical issue that every organization, insurer, attorney, and security leader must deal with today. Reasonable security is not a fixed checklist. It is a point in time assessment based on the threat environment, the organization’s data, regulatory expectations, available technology, and what similar organizations are doing to reduce risk.

A security program that looked reasonable ten years ago may not be defensible today. Endpoint detection and response was once treated as a strong recommendation. Today, EDR paired with 24x7 managed detection and response is a baseline expectation for many organizations. Multi-factor authentication (“MFA”) followed the same path. It used to be viewed as an added layer of protection. Today, MFA is a hard requirement for remote access, email, privileged accounts, and cloud environments.

The panel discussion reinforced reasonable security changes because the risk changes. Attackers are faster, more automated, and more effective. Business environments are more connected. Data is spread across cloud platforms, SaaS tools, endpoints, vendors, and remote users. Cyber insurance underwriting has matured. Regulators are more active. Plaintiffs, experts, and courts are looking more closely at what organizations had in place before an incident occurred.

Reasonable security must be judged in context. A 2026 review of a 2021 incident should consider what was reasonable in 2021. That does not mean outdated controls get a pass. It means organizations need to document what they knew, what they evaluated, what they implemented, and what risks they accepted at that time. Contemporaneous documentation matters. Risk assessments, board reporting, remediation plans, tabletop exercises, backup tests, and incident response records help show that security decisions were deliberate and tied to business risk.

The discussion also highlighted an important point for small and mid-sized businesses. Reasonable does not always mean expensive. It does mean disciplined. Many organizations do not fail because they lacked access to advanced tools. They fail because basic controls were not implemented, monitored, tested, or maintained.

At a minimum, six baseline controls should be treated as necessary for most organizations today.

EDR with 24x7 MDR service

Organizations need endpoint visibility and response capability across workstations and servers. Tools alone are not enough. Alerts need to be reviewed, investigated, and acted on at all hours. A ransomware event does not wait for business hours, and neither can detection and response.

Multi factor authentication

MFA should be required for email, remote access, administrative access, financial systems, and cloud platforms. Credential theft remains one of the most common paths into an organization. MFA is no longer a best practice. It is a basic control.

3-2-1 backup strategy

Organizations should maintain at least three copies of critical data, on two different types of media, with one copy offline or immutable. Backups also need to be tested. A backup strategy that has never been restored is an assumption, not a recovery plan.

Centralized logs

Logs are necessary for detection, investigation, insurance claims, legal review, and incident reconstruction. Without centralized logs, organizations often cannot determine what happened, when it happened, what systems were affected, or whether data was accessed. That uncertainty increases cost, liability, and operational disruption.

Incident response plan

A written incident response plan gives the organization a process before the emergency begins. It should identify roles, escalation paths, legal involvement, insurance notification, communications, evidence handling, and executive decision points. The plan should be tested through tabletop exercises and updated as the business changes.

End user security awareness training

Employees remain a primary target for phishing, social engineering, business email compromise, and credential theft. Training should be practical, recurring, and tied to the real threats employees face. The goal is not perfection. The goal is reducing preventable mistakes and improving reporting behavior.

The broader point is that security programs should not be built around tools first. They should be built around the data an organization harbors and processes. A business that stores employee records, customer data, payment information, protected health information, financial records, or sensitive business data must understand how that data moves, where it resides, who can access it, and what laws or contracts apply.

Regulatory requirements, contractual obligations, cyber insurance expectations, and operational risk should all map back to the data. A reasonable program for one organization may not be enough for another if the data, threat profile, and legal obligations are different. This is where frameworks like NIST CSF and CIS Controls are useful. They help structure the program, but leadership still needs to align controls to business risk.

The panel’s core message was clear. Reasonable security is not a slogan. It is a documented, risk based, and evolving program. It must keep pace with the threat environment and the expectations of regulators, insurers, customers, and courts.

The controls that used to be optional are no longer optional. The organizations that understand this shift will be better positioned to reduce risk, defend their decisions, and recover when incidents occur.

Contact us today to learn more about our Active Defense services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.