Cybersecurity, Privacy, You, and Your Organization  by John Bandler

This short piece will help you get started and evaluate where you (individually) and your organization should be with cybersecurity and privacy. These are difficult topics of increasing importance and legal requirements, worth spending effort on.

Cybersecurity and privacy start with you as an individual because this allows you to learn about it, practice it, and secure yourself and your family. Then you can bring that knowledge and experience to your organization. That’s a main premise of my first book, Cybersecurity for the Home and Office. This book lays a strong and broad foundation on cybersecurity and privacy, helping the reader apply it in the home and then bring it to the workplace. One important concept is the “security dial” to envision the degree of risk one faces and the degree of protection desired. This risk analysis allows proper decision making. Another essential concept is my Four Pillars of Security, a continual process of improving knowledge and awareness, device security, data security, and network security.

Organizations must have reasonable cybersecurity and privacy practices. Sometimes, it can be difficult determining what “reasonable” means, or how to get started. Inertia, uncertainty, fear, time constraints, and compliance costs means that some individuals and organizations have not yet gotten started. But start they must, and then commit to continual improvement.

Cybersecurity and privacy are a part of good information governance, which is part of good organizational governance. The goal is to protect the organization, protect the bottom line, reputation, customers, clients, and employees. This will also put the organization in compliance with legal requirements. New York passed the SHIELD Act which created a new cybersecurity requirement and enhanced data breach reporting rules as I wrote about here. The California Consumer Privacy Act (CCPA) went into effect with national implications, and the National Institute of Standards and Technology (NIST) released their Privacy Framework v 1.0, as I summarize here. The European General Data Protection Regulation (GDPR) also affects businesses in the U.S.

Organizations need to consider their “risk dial” for cybersecurity and privacy, and what effort and steps are required. The goal is to be “diligent” and “reasonable” on these fronts (no one wants to be considered “negligent” or "sloppy"). Organizations should build a margin of error into their analysis, because reasonable people will disagree and views may change. The CEO may think certain measures are sufficient but the regulator may disagree. Cybersecurity or privacy practices may seem sufficient during clear weather, but after a data breach or serious incident, perspective changes.

Organizations should realize that good cybersecurity and privacy requires effort, and there are no magic solutions. This is a challenging area where perfection is impossible and continual improvement is required. Once this is understood, organizations can resolve to continually improve themselves.

What should organizations do to be reasonable and diligent as to their cybersecurity and privacy practices?

Step one is to prevent a problem. Protect from becoming a cybercrime victim, prevent data breach, theft, ransomware, and more. Focus on this as the main goal, because avoiding a serious incident saves time, money, reputation, business, and stress. This is also an opportunity to improve efficiency.

Step two is examining applicable laws and regulations. What I call "external rules" that the organization must comply with.

Step three is reviewing organization internal rules — policies and procedures. Do they exist? Do they properly align with external rules? Are they based upon good guidance? Are they understandable, practical, and complied with by members of the organization? These internal rules are important to prevent problems, and to properly respond to them.

Most organizations should probably have written policies covering three areas: cybersecurity (information security), incident response (including data breach reporting), and privacy. Individuals at all levels of the organization should be trained on these governance documents, which should be reviewed and updated periodically. Importantly, these documents are not just for compliance, they are an important mechanism towards preventing a problem and good governance (see my article Policies, Procedures, and Governance of an Organization).

If the problem has already occurred, it needs to be managed properly. A diligent investigation reveals the facts needed to properly make decisions, and the organization may need to make legally required notifications. The investigative process and the surrounding legal requirements are detailed in my second book, Cybercrime Investigations.

What should you as an individual do to get started on your cybersecurity and privacy? Take a look at my articles (including cybersecurity tips) and first book. Check out my four pillars of security (i) knowledge and awareness, (ii) device security, (iii) data security, (iv) network/internet security. Check the privacy and security settings on your devices, applications, and cloud accounts. For email and important internet accounts use strong, unique passwords and enable two factor authentication. Verbally confirm all instructions regarding the transfer of funds. Some individuals should consider professional assistance.

Organizations should get started too. Often professional assistance yields an efficient and better quality result.

This short article is designed to provide helpful introductory information, and (of course) is not legal or consulting advice, nor tailored to your circumstances.

Additional reading:

Helpful short articles and pages related to this include:

This article is hosted at https://johnbandler.com/cybersecurity-privacy-you-and-your-organizatio, copyright John Bandler, all rights reserved.

A copy of this article (though perhaps not kept as up to date) is available on Medium at https://johnbandler.medium.com/cybersecurity-privacy-you-and-your-organization-7a48751906fb

Posted 2/5/2020. Updated 8/19/2021.