By now we should all know that human error accounts for 95% of data breaches, and that cyber security should be a company-wide concern. We know cybersecurity is good-to-have, and now, finally, it is also necessary to have. While it may have taken government regulations a bit to catch up with cyberspace, there has been a global shift towards implementing cybersecurity laws and regulations.
By and large, this shift is crucial because cyberspace now plays an undeniably fundamental role in our day-to-day lives, and even more so in our businesses. We rely on IT and the internet for a vast number of social functions that blur personal and professional lines – and that is not without its risks and consequences. We also live in a world where there will always be antagonistic parties acting in hostile ways; the cyber domain is no exception. It is for this reason a good cyber security ecosystem is necessary: a successful cyber-attack on your organization is not an isolated problem; it has wider social consequences.
So now that we’ve established why cybersecurity law is essential, the question remains, what exactly are these new laws and how do we keep up with them? As a rule of thumb, Black & Veatch’s Global CISO James Waters has some valuable advice:
Don’t try to do something different for every part of the world. Pick and choose what you’re going to use from a policy and procedure standpoint. Generally, pick from a global perspective the most onerous and strict regulations you have to comply with and implement them globally.
Even if your organization isn’t international, Waters’ message remains constructive. The more compliant and cohesive your strategy, the better.
While every organization should determine and comply with the specific cybersecurity laws that apply on the state, national, and global levels, the regulatory landscape is increasingly converging around common themes across boundaries. Above all, regulatory bodies are requiring that organizations implement a risk-based approach to cybersecurity. It is in your organization’s best interest to adopt the following compliance mindset and strategies.
Employ a Risk Management Regime
First and foremost, if your organization doesn’t have a high-level risk-management framework already, it needs one. Establishing a consistent top-down approach will help you identify risks and procedures to prevent them. This task is best overseen and driven by a Chief Information Security Officer (CISO). Some US states and industries, such as Massachusetts and the finance and insurance industries, require that organizations employ a CISO.
There are many resources and industry standards to help you create or examine your risk management regime such as the US-based NIST Cyber Security Framework or the UK-based NCSC steps to cyber security.
Make Information Security a Priority
One of the biggest global trends in cybersecurity law is the move to protect consumers’ data, epitomized by the sweeping GDPR passed by the European Union. California’s Consumer Privacy Act is due to go into effect in 2020 with states like New Jersey and Washington following suit. Chances are your organization is already affected by these new regulations, and if not will be very soon.
Consumer and organizational data privacy are more important than ever before, and companies must implement information security controls to stay compliant. Such controls include user access management and encryption.
Also read: 7 Easy Steps to Protect Your Data
Identify an Incident Response/Management Framework
Inevitably, cyber incidents happen. But their level of impact can be managed with an effective incident management strategy. All organizations should have data recovery abilities and employees equipped to identify and respond to cyber incidents.
Establishing a protocol and having the tools to deal with incidents will help your organization avoid consequences such as serious financial loss and legal repercussions. An essential part of every protocol is the reporting of the incident to the relevant law enforcement agency. In the event that a cyber incident does happen, it should also include a review of the event to help you understand how it was able to happen and how it could be prevented in the future. Failure to do so leaves you at risk for repeated harm and more legal liability.
One of the easiest and most effective ways to deter cyber threats and stay compliant with cybersecurity laws is to provide your employees with training. Most incidents can be avoided with basic security awareness training for all employees, tech and non-tech. If an incident does happen, you want your cyber employees to have the up-to-date skills to effectively and efficiently address the threat. Regular training is also important for staying on top of new cybersecurity laws and regulations as they come into effect, because sometimes it is simply hard to keep up.
Cybersecurity laws and regulations are ever-growing and becoming stricter and more complex. Cybint can provide you with all the necessary training you and your team need to stay compliant and prepared. Cybint’s continuous learning method gives you access to the latest information and technology that will help your organization avoid cyber threats and avoid legal predicaments. Reach out today to see how we can help.