Lost among all the recent news about data vulnerability — last month’s Equifax credit report breach, last year’s Yahoo password hack, or the Whole Foods payment card breach reported just the other day — are three new government cybersecurity programs. The FTC’s “Start With Security” initiative, New York State’s Department of Financial Services regulations, and the US Department of Defense’s DFARS (Defense Federal Acquisition Regulation Supplement) orders have all gone into effect this year. But each program could represent the future of the cybersecurity landscape.
First, the Federal Trade Commission (FTC) kicked off its push for cybersecurity best practices in September, focusing on how sensitive data is collected and protected. In addition to encouraging companies not to collect data it might be required by compliance regulations to encrypt or protect, “Start With Security” also emphasizes what it calls a company’s #1 threat for data breach compromise: employees. “What poses the greatest risk to the security of sensitive information in your company’s possession?,” the FTC asks in its first round of materials. “And what’s your #1 defense against unauthorized access? The answer to both questions is your staff.”
Security training is imperative for new employees, especially as fresh rounds of cybersecurity regulations roll out. Secure access — think two-factor authentication, secure sign-on, and password management programs — are equally important, as is proper offboarding or removal of access privileges for workers who’ve left your company. Clearly defined policies and procedures implemented with the help of a trusted IT provider can protect your company from data compromise. And that can help you and your staff pivot from a defensive, reactive approach to IT security to an offensive, proactive one.
That’s precisely the approach of the state of New York’s Department of Financial Services, which in March issued the first state-level regulations on cybersecurity for financial institutions. These tough new statutes are geared toward one particular industry, but many IT experts expect the rules to serve as a roadmap for the inevitable information security compliance landscape that lies just over the horizon, even for non-financial industries.
DFS now requires all financial firms operating in the Empire State to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry. Important protections such as risk detection, encryption standards, incident response plans, and regulatory reporting requirements are now in place, all aimed at preventing third-party providers and business associates from causing a data risk. Think back to the Target breach, which stemmed from a third-party HVAC provider’s unsecured access to Target’s payment system, and it’s evident why such protocols are necessary.
Which is why the Department of Defense set a December 31, 2017 deadline to comply with its latest mandate, DFARS (Defense Federal Acquisition Regulation Supplement). Any contractor that houses or processes unclassified DoD data must demonstrate their cybersecurity compliance at a level even more stringent than the DFS rules. As with HIPAA measures implemented in 2013, failure to comply could leave companies in breach of contract and subject to civil, administrative and even criminal penalties in the case of a cyber incident.
What does it all mean — especially for the business owner trying to keep up day-to-day operations? It means you need an IT provider that understands these complicated new compliance standards. It means you need to treat your company’s sensitive data with the utmost care — as anyone who’s followed the Equifax breach story knows, your revenue, your success, and your reputation could be on the line.
And don’t assume that hackers only target large corporations: the Ponemon Institute’s 2016 State of SMB Cybersecurity report found that 50% of the IT leaders who responded said their business had been hacked in the previous 12 months.
If your company depends on technology — and in 2017, what company doesn’t? — you deserve local, proactive IT support delivered by a fellow small business owner in your community. Every CMIT Solutions is also backed by a North America-wide network of more than 170 offices and 800 technicians who stand ready to help, 24x7x365. We worry about IT so you don’t have to.