Cybersecurity, Privacy, You, and Your Organization

This short piece will help you get started and evaluate where you and your organization should be with cybersecurity and privacy. These are difficult topics of increasing importance and legal requirements.

Cybersecurity and privacy starts with you as an individual because this allows you to learn about it, practice it, and secure yourself and your family. Then you can bring that knowledge and experience to your organization. That’s a main premise of my first book, Cybersecurity for the Home and Office.

Organizations need to have reasonable cybersecurity and privacy practices. Sometimes, it can be difficult determining what “reasonable” means, or how to get started. Inertia, uncertainty, fear, time constraints, and compliance costs means that some individuals and organizations have not yet gotten started. But they need to.

Cybersecurity and privacy are a part of good information governance, which is part of good organizational governance. The goal is to protect the organization, protect the bottom line, reputation, customers, clients, and employees. Also to conform with legal requirements. New York just passed the SHIELD Act which created a new cybersecurity requirement and enhanced data breach reporting rules as I wrote about here. The California Consumer Privacy Act (CCPA) went into effect with national implications, and the National Institute of Standards and Technology (NIST) just released their Privacy Framework v 1.0, as I summarize here. The European General Data Protection Regulation (GDPR) also affects businesses in the U.S.

My first book Cybersecurity for the Home and Office lays a strong and broad foundation on cybersecurity and privacy, helping the reader apply it in the home and then bring it to the workplace. One important concept is the “security dial” to envision the degree of risk one faces and the degree of protection desired. This concept demonstrates that risk analysis must be performed and choices made.

Organizations need to consider their “risk dial” for cybersecurity and privacy, and what effort and steps are required. The goal is to be “diligent” and “reasonable” on these fronts, as no one wants to be considered “negligent”. Organizations should build a margin of error into their analysis, because reasonable people will disagree and views may change. A regulator’s perspective may be different from the CEO’s, and analyzing cybersecurity or privacy practices before a serious incident is very different compared to after.

Organizations should realize that good cybersecurity and privacy requires effort, and there are no magic solutions. This is a challenging area where perfection is impossible and continual improvement is required. Once this is understood, organizations can resolve to continually improve their policies and practices on an annual basis.

What should organizations do to be reasonable and diligent as to their cybersecurity and privacy practices?

Step one is to prevent a problem. Prevent a cybercrime incident, prevent a privacy issue. This may be easier said than done, but remember this as the main goal. Avoiding a serious incident saves time, money, reputation, and stress.

Step two is examining organization internal rules — policies and procedures. Do they exist? Do they confirm with external rules (laws and regulations)? Are they understandable, practical, and complied with?

Most organizations probably should have a privacy policy, a cybersecurity (information security) policy, and an incident response (data breach reporting) policy. These are three important starting areas. Individuals at all levels of the organization should be trained on these governance documents, which should be reviewed and updated periodically. Importantly, these documents are not just for compliance’s sake, they are an important mechanism towards preventing a problem in the first place.

If the problem has already occurred, it needs to be managed properly. There may be legally required notifications that need to take place, and cybercrime needs to be investigated, as detailed in my second book, Cybercrime Investigations.

What should you, as an individual, do to get started on your cybersecurity and privacy? Take a look at my articles and first book. Check out my four pillars of security (i) knowledge and awareness, (ii) device security, (iii) data security, (iv) network/internet security. Check the privacy and security settings on your devices, applications, and cloud accounts. For email and important internet accounts use strong, unique passwords and enable two factor authentication. Verbally confirm all instructions regarding the transfer of funds.

See my website for a copy of this article plus additional references, starting at:
https://johnbandler.com/cybersecurity-privacy-you-and-your-organization/

My books are
Cybersecurity for the Home and Office: The Lawyer’s Guide to Taking Charge of Your Own Information Security
Cybercrime Investigations: A Comprehensive Resource for Everyone

Posted 2/5/2020. Updated 2/14/2020.

A copy of this article is available on Medium at https://medium.com/@johnbandler/cybersecurity-privacy-you-and-your-organization-7a48751906fb