This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Compliance and Congress – How to Build an Effective Cyber Strategy
Cyber Security NewsSecurity Leadership and Management

Compliance and Congress – How to Build an Effective Cyber Strategy

cyber-pro
February 7, 2019
Dhaval Jadav and Chuck Wilson
KEYWORDS cyber risk management / cybersecurity strategy / data breach / data privacy / GDPR / security compliance / small and medium business (SMB) security
Reprints
No Comments

The growing threat of cyberattacks is a huge cause for concern. According to some of the country’s foremost intelligence experts, the U.S. may encounter a massive cyberattack on the horizon. An attack of this scale is predicted to cause damage comparable to a Category 5 hurricane, where everything from vehicles to pacemakers could be compromised. The country needs to be ready – and not just the public sector. Private businesses, regardless of size, would be taking an extreme risk if the necessary precautions are not put into place.

The literal and perceptional damage caused by security breaches can be astronomic, as we have seen from high-profile leaks at Sony, Equifax and Yahoo. When developing a strategy, you have to be able to properly assess the amount of overall damage that your business could suffer.

With new legislation such as the California Consumer Privacy Act (CCPA), or AB 375 (which is similar to the European General Data Protection Regulations, or GDPR) going into effect in 2020, businesses of all sizes are working to maintain compliance and avoid security leaks at all costs.

 

Building A Strategy

When developing a cybersecurity strategy, there are a few important questions to consider:

  1. How difficult is it to gain access to my company or customer information?
  2. How much actual damage to my customers, company and/or public reputation can be caused if a data breach occurs?
  3. Are we following best practices for protecting client data that we have been given access to?
  4. Do we have an enterprise risk management approach? How do we prioritize risks?
  5. Do we have an incident response plan in place if a breach was discovered?

 

For example, if your company has very strong network and firewall protocols that adequately deter cyberattacks, but also has access to sensitive and potentially damaging customer information – you are only implementing a half-measure.

The overall risk that your company is facing is directly correlated to the amount of damage that a potential attacker can inflict with your customers’ data, as well as the public image of your company due to negligence, noncompliance or plain bad luck. In fact, the perception of an insecure network or known negligence toward securing customer data can do as much, if not more, irreparable damage to a company or brand than an actual security breach.

What many small to medium-sized businesses underestimate is the amount of information that they actually have from customers, and how the push to cloud-computing is only adding to the complexity of properly securing sensitive information. The more companies utilize cloud-based services to record transactions, financial data, personal preferences, search histories and medical records, the more devastating a security breach can be.

 

Getting Compliant

A single leak can bring down even the largest and most powerful of companies. Once the trust of the customer is lost it is exponentially more difficult to regain it. With this in mind, companies of all sizes need to take the necessary steps to not only be compliant with legislation, but also be proactive in developing systems that can defend themselves from claims of negligence. Being compliant does not always equate to having a defendable due diligence security posture.

Small businesses are going to be among the hardest hit by regulations such as GDPR and CCPA becoming more commonplace, and I fear that noncompliance due to lack of resources could be a serious issue. When having an online presence and customer database is essentially required for any business today, many smaller operations do not have the available resources to become compliant, or may not even identify that their business would require changes due to new regulations.

So, what options does an organization have if they are not already preparing a cybersecurity strategy or do not have an in-house team? Quite a few, actually. These options start with asking the aforementioned questions, and then by asking the following to determine which parts of the system or processes need the most attention:

  • Are the security risks being quantified? Is there a network security issue?
  • What type of information is being transmitted or collected? Is data classification used?
  • What is your encryption policy? How encrypted, if at all, is the stored data?
  • Do all of your employees with access to client data know your cyber-protection practices? With this question it is important to note that phishing is the largest threat vector, accounting for around 95% of all security incidents.
  • Are those security basics in place?
  • How well is “cyber-hygiene” managed?

 

All of these questions can be answered by cybersecurity experts who help determine the level of attention required for each aspect of a compliant cybersecurity strategy. One size does not fit all in the world of cybersecurity. Determining potential vulnerabilities is different for every operation, and will vary in complexity based on the type and quantity of information that is associated with the business.

In addition to professional assistance, there are a few best practices that a company can implement to improve their privacy policy, as well as customer and visitor notification policies.

 

Being transparent when using cookies on your website.

Have a consent statement “pop-up” on your website explaining not only that your website uses cookies, but how your organization is using that information. The statement needs to notify the visitor that your website uses cookies, how to change their settings to deactivate them and explicitly say what the cookies are used for. A great resource for creating a consent statement can be found here.

 

How you are monitoring visitor behavior.

In the same vein as the cookies notification, simply stating that you collect personal data is no longer adequate. Within your privacy policy you have to let your users know exactly what data you collect and process.

 

Notification of the sharing (but never selling) of your customer data. 

Notifying a web user of data sharing is typically seen when a company has user data that is then shared with a third-party partner. For instance, an organization that collects user or member data may then share it with “authorized partners” that facilitate a better experience for the users. Having this stated in a privacy policy and consent statement, along with acknowledging the compliancy of all “authorized partners,” is highly recommended.

 

Regardless of industry, size or revenue, a cyber strategy is absolutely required because the more interconnected everything becomes, the more vulnerable we become to cyberattacks. With increased vulnerability comes more regulations. Businesses and organizations will need all the help they can get to ensure data security and compliance with future regulations.

 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

 

Subscribe to Security Magazine

Dhaval Jadav is the Chief Executive Officer at alliantgroup, America’s leading provider of tax credits and incentives to U.S. businesses. Jadav co-founded alliantgroup in 2002, and since its inception, his passion to serve businesses and the CPA firms that advise them has resulted in alliantgroup helping U.S. businesses claim more than $7 billion in tax credits and incentives.
Chuck Wilson is the Executive Director of the National Systems Contractors (NSCA) and he has served in this capacity since 1996. Before being named executive director of NSCA, he served on the organization’s Board of Directors from 1988-1995. NSCA is a not-for-profit association representing the commercial low-voltage electronic systems industry, including systems contractors/integrators, product manufacturers, consultants, sales representatives, architects, specifying engineers and other allied professionals.

Related Articles

5 Basic Rules to Build an Effective Security Awareness Program

Metrics that Matter: How to Measure the Effectiveness of Corporate Security Programs

Security Leaders Must Adjust Cybersecurity Budgets to Effectively Address 2018 Cyber Threats

How to Shop for a Cyber Insurance Policy

Related Products

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 2E

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

Globe

Which Countries Have the Worst and Best Cybersecurity?

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

password1-900px.jpg

New Vulnerabilities Found in Top Password Managers

password1-900px.jpg

How Americans Leave their Personal Info Open to Thieves

20180226SEC_DataminrFeb_360x184customcontent

Events

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
March 7, 2019

Finding Your Physical Security Blind Spots with Artificial Intelligence (A.I.)

Security infrastructures are undergoing a digital transformation with growing adoption of intelligent access control, video surveillance and analytics as well as IoT devices and sensors – generating more data to than ever before. Harnessed properly with artificial intelligence and a risk-based model, this data can be exposed and leveraged to improve life safety, minimize risk and increase operational efficiency.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing