This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason speaks about the notion of 'reasonable' security standards and the role business leaders play in shaping its definition.
To call the pace of change that business leaders face these days “rapid” is a disservice to businesses that are under unprecedented pressure. Based on a recent PricewaterhouseCoopers study, 77% of executives are struggling with hiring and retaining talent. And executives see no reprieve from inflation, and supply chain problems will continue into 2023. At the same time, 60% of executives have identified focus digital transformation as critical growth to remain agile and resilient.
With that amount of disruption, we still see executives are most concerned about cybersecurity, data, and privacy regulations. The last thing that a business can afford is a data breach.
When it comes to cybersecurity incidents and data breaches, we see the headlines when big corporations are hit. But what we don’t see are the thousands of breaches that happen every year to smaller organizations. Did many notice incidents at Center for Sight Inc., A.A. Zamarro & Associates Inc., or Northeast Rehabilitation Hospital Network? These cybersecurity incidents alone affected tens of thousands of southern New Englanders and were major disruptions for those businesses. Last year alone, data breaches affected 294 million individuals.
As business leaders and their legal counsel attempt to navigate data privacy laws and regulatory mandates, regulatory bodies continue to enact new and refined privacy and data security requirements.
Across these statutes and directives is the increased use of terms such as reasonable, appropriate, acceptable, and practical when it comes to the security measures businesses are expected to take. “Reasonable” is peppered throughout the Massachusetts privacy law and is a staple in the Rhode Island Identity Theft Protection Act.
So how do you appropriately define “reasonable” when it could be the deciding factor of your organization being fined or not or determining if your business is at risk of civil litigation and liable based on perceived negligence?
Luckily, standards and best practices are being shared by the cybersecurity industry and the federal government helps define those reasonable expectations. Here are some ways for Rhode Island businesses to begin to mature their cybersecurity programs and effectively manage the risk, ultimately helping them meet the “reasonableness “standard.
First and foremost, cybersecurity should be prioritized at the highest levels of leadership. Risk and business resilience should be a staple agenda item for leaders. Cybersecurity is a shared responsibility across the entirety of the business, embedded in a culture where every employee is engaged.
Modern cybersecurity programs must be based on industry standards, best practices, and frameworks. The National Institute of Standards and Technology Cybersecurity Framework is a gold standard that can help organizations build comprehensive and sustainable programs that focus on people, processes, technology, policies, supply chain risk, and more. The success of a program is dependent on investing and adopting these best practices, instead of the shiny new tool that will claim to solve all cybersecurity woes.
"The success of a program is dependent on investing and adopting these best practices, instead of the shiny new tool that will claim to solve all cybersecurity woes."
- Envision's COO Jason Albuquerque
Organizations need to have a written information security program – or a WISP – that outlines policies and guidelines to protect the confidentiality and security of personal information. It’s been a regulation for quite some time for all organizations that handle the personal information of any Massachusetts resident. A Rhode Island business was recently penalized $230,000 under a settlement reached with the Mass. Office of the Attorney General for lacking a WISP. No matter what type of personal or sensitive data, every business should have a well-documented program that outlines procedural, physical, and technical safeguards for a customer’s private data.
Businesses must have continuous visibility into their cyber risk. Performing regular and formalized assessments is a core component of a company’s resilience. These continuous activities start by assessing the current risks, then helping businesses identify, prioritize and find ways to remediate those risks.
With the right culture, program, best practices, and risk assessment practices, a business can realize the benefits of and take full advantage of modern technologies and cybersecurity innovation. Technologies alone, without these supporting strategies, will fail your business.
While some organizations and executives will continue to drag their feet and steer clear of cybersecurity conversations, the risks from cyberattacks grow exponentially daily. With pressures from privacy laws and regulatory oversight, the damages from disciplinary actions or lawsuits will become enormous.
Confronted with these massive amounts of potential cybersecurity liabilities, organizations that are proactive will mature. Those that aren’t will risk going out of business.