In 2019, we continued to hear about a number of high profile cyber breaches, including a few that affected large companies in our region such as Capital One, Wawa, and the Pennsylvania Charter Cyber School. In an effort to limit incidents like these and increase the privacy of consumer data, states are beginning to take action.
As one example, California drafted comprehensive consumer information rights legislation which took effect on January 1, 2020. The California Consumer Privacy Act (CCPA) creates new consumer rights relating to the access to, deletion of, and sharing of personal information collected by businesses. Companies subject to the CCPA will be required to adhere to a number of requirements, including providing notice to consumers at or before data collection and establishing a process to respond in a timely manner to requests from customers to delete or opt out of data collection.
California’s legislation comes on the heels of the widely-publicized General Data Protection Regulation (GDPR) legislation in the European Union. As cyber security incidents and privacy concerns continue to escalate, the call for more legislation of this type will only increase. What does this mean for you and your business, and how will you respond?
Many companies focus their efforts on fortifying their IT systems by updating firewalls and scanning for viruses. Some even subscribe to monitoring services, which reduce the likelihood of an attack. Taking these precautions reduces the chance of a breach, but it does not eliminate the risk entirely.
This is because there is now unanimous consensus that the weakest link in most organizations is employee awareness. As cyber hackers are becoming more sophisticated, it is increasingly difficult for employees to distinguish between legitimate and fraudulent emails, websites, and messages. Without proper policies and procedures, as well as ongoing training and validation efforts, your company’s risks will only increase.
Having the right policies and procedures in place is one of the most foundational elements of an effective cyber security program and is crucial to establishing proper cyber hygiene practices. For example, if your company allows uncontrolled use of memory sticks for saving, sharing, and transferring files between machines and users, you have a greater chance of being exposed to malicious files.
Policies and procedures also play a key role in complying with emerging regulations such as the CCPA and GDPR. Plus, they will help mitigate the risk of litigation that results when systems are breached and it is discovered that the company did not safeguard client data using an industry accepted methodology. The bottom line: It is crucial to implement proper policies and procedures and continually reinforce them with an ongoing training and validation regimen.
Addressing these issues in a well-planned manner is not only an important risk management strategy, but it is also a good business practice. With our increased dependence on IT systems and the data collected within such systems, the value of data assets increases over time. Safeguarding such assets will not only lay the groundwork for increased business value generation, but will also reduce the chance of operational disruptions, potential litigation, and brand erosion. Here are the five key steps you can take to plan for enhanced cyber readiness this year:
- Discover hardware and software weaknesses by conducting a vulnerability scan.
- Identify your sensitive data and review how it is being collected, accessed, and stored.
- Review and update computer use and information privacy related policies and procedures.
- Conduct ongoing user training based on updated policies and the latest threats.
- Test your systems and users through penetration testing and phishing exercises.
If you’d like to discuss how to implement any of these initiatives in your business, please don’t hesitate to contact us.
You may also like: