Cybersecurity, Privacy, You, and Your Organization
by John Bandler
Cybersecurity and privacy are unique areas that impact you personally and professionally, and are of great importance for your organization. These are difficult topics of increasing importance and legal requirements, worth investing effort. The good news is your effort benefits you personally and can help improve your organization.
It starts with you, your home, and family
Cybersecurity and privacy start with you as an individual because this allows you to learn about it, practice it, and secure yourself and your family. Then you can bring that knowledge and experience to your organization. That’s a main premise of my first book, Cybersecurity for the Home and Office. We can learn about cybersecurity and privacy, apply it in the home, and then bring it to the workplace. I have developed two important concepts with this:
- The “security dial” to conceptualize the degree of risk faced and the degree of protection desired. This risk analysis allows properly tailored decision making.
- My Four Pillars of Security, a continual process of improving knowledge and awareness, device security, data security, and network security.
Bring your knowledge to the workplace
If we understand the basics of cybersecurity and privacy, and what it means to us as individuals, we are well situated to bring that knowledge to our workplace.
Organizations must have reasonable cybersecurity and privacy practices. Sometimes, it can be difficult determining what “reasonable” means, or how to get started. Inertia, uncertainty, fear, time constraints, and compliance costs means that some individuals and organizations have not yet gotten started. But start they must, and then commit to continual improvement.
Cybersecurity and privacy are a part of good information governance (management), which is part of good organizational governance. The goal is to protect the organization, protect the bottom line, reputation, customers, clients, and employees. This will also put the organization in compliance with legal requirements.
Legal requirements are here and increasing
Laws and regulations are evolving and increasing. We first consider traditional, existing laws, and then the newer cyber and privacy laws. There have been some significant developments in the past few years to include:
- New York passed the SHIELD Act which created a new cybersecurity requirement and enhanced data breach reporting rules.
- The California Consumer Privacy Act (CCPA) went into effect with national implications, and then the California Privacy Rights Act (CPRA).
- The National Institute of Standards and Technology (NIST) released their Privacy Framework v 1.0 in 2020.
- The European General Data Protection Regulation (GDPR) also affects businesses in the U.S.
I discuss the legal requirements in more detail here.
Be diligent and reasonable
Organizations need to consider their “risk dial” for cybersecurity and privacy, and what effort and steps are required. The goal is to be “diligent” and “reasonable” on these fronts -- no company wants to be considered “negligent” or "sloppy". Organizations should build a margin of error into their analysis, because reasonable people will disagree and views may change (the CEO may think certain measures are sufficient, but the regulator may disagree). And cybersecurity or privacy practices may seem reasonable in the normal course of operations, but after a data breach or serious incident, perspective changes and hindsight can take over.
Organizations should realize that good cybersecurity and privacy requires effort, and there are no magic solutions. It is a challenging area where perfection is impossible but continual improvement is required.
How can organizations do what is reasonable and diligent for cybersecurity and privacy?
Step one is to prevent a problem. Protect from becoming a cybercrime victim, prevent data breach, theft, ransomware, and more. Focus on this as the main goal, because avoiding a serious incident saves time, money, reputation, business, and stress. This is also an opportunity to improve efficiency.
Step two is to examine applicable laws and regulations. I call these "external rules" because they come from outside the organization and compliance is required.
Step three is reviewing organization internal rules — policies and procedures. Do they exist? Do they properly align with external rules? Are they based upon good guidance? Are they understandable, practical, and complied with by members of the organization? These internal rules are important to prevent problems, and to properly respond to incidents. They are also required by certain laws or regulations.
Internal policies are needed
Most organizations should probably have written policies covering three areas:
- Cybersecurity (information security)
- Incident response (including data breach reporting), and
All people in the organization should be trained on these governance documents, which should be reviewed and updated periodically.
Again these documents are an important mechanism towards preventing a problem and for good governance, they are never just for "show" (see my article Policies, Procedures, and Governance of an Organization).
Prevent a problem, but respond if it has occurred
If the problem has already occurred, it needs to be managed properly. A diligent investigation reveals the facts needed to properly make decisions, and the organization may need to make legally required notifications. The investigative process and the surrounding legal requirements are detailed in my second book, Cybercrime Investigations.
Next steps (and conclusion)
Individuals can take a look at my articles (including cybersecurity tips) and first book. My Four Pillars of Cybersecurity concept is helpful, check the privacy and security settings on your devices, applications, and cloud accounts. For email and important internet accounts use strong, unique passwords and enable two factor authentication. Verbally confirm all instructions regarding the transfer of funds. Some individuals should consider professional assistance.
Organizations should get started too, starting with the above, and developing a cybersecurity program. Professional assistance can help bring efficient and quality improvements.
This short article is designed to provide helpful introductory information, and (of course) is not legal or consulting advice, nor tailored to your circumstances.
Helpful short articles and pages related to this include:
- Policies, Procedures, and Governance of an Organization
- Policies and Procedures
- Bandler's Four Pillars of Cybersecurity
- Cybersecurity Laws and Regulations (Part 1)
- Cybersecurity Tips from John Bandler
- New York Cybersecurity Requirements and the SHIELD Act
- Privacy, You, Your Organization, and the New NIST Privacy Framework
- My services page
- My books
- More articles
This article is hosted at https://johnbandler.com/cybersecurity-privacy-you-and-your-organization, copyright John Bandler, all rights reserved.
A copy of this article (though perhaps not kept as up to date) is available on Medium at https://johnbandler.medium.com/cybersecurity-privacy-you-and-your-organization-7a48751906fb
Posted 2/5/2020. Updated 4/10/2022.