Cyber Security: No longer just for regulated businesses
If you’re not already operating under some form of regulation, you soon will be. In fact, you probably are already, know it or not. But whether your business is highly regulated or not, your business is at risk and could benefit from taking a more security conscious approach.
We all understand the fundamentals of business and the importance of customer service, quality in operations and accuracy in accounting. They all play a role in the sustainability of our firms. But now there’s a new required skill in this mix; the 21st Century version of these core competencies: cybersecurity.
Businesses that have to follow existing regulations understand the need for security. The health care sector, for example, has HIPAA and the HITECH regulations to protect patient privacy in the age of digital patient records, while the credit card industry has PCI regulations intended to protect cardholder information. Up to now, cybersecurity regulations have been spotty, targeting only certain sectors of the economy. But that’s about to change with an onslaught of pending federal and state laws that not only address procedures on breach notifications but also proscribe what you need to do to protect against data breaches. In short, if you’re not already operating under some form of regulation, you soon will be. In fact, you probably are already, know it or not.
However, whether your business is highly regulated or not, businesses can all benefit from embracing best practices that also meet regulatory requirements. Here’s why.
- You’re going to be directly impacted by new regulations.
While there are state-by-state laws regarding breach notifications, there are pending laws that will affect any business that has individuals’ information, including sales and marketing lists. It doesn’t matter why you have the information or what you do with it.
Regulations are going to address what you’re doing to protect sensitive information from unauthorized access by bad actors. And since the bad actors aren’t located in the U.S., there’s very little we can do to them, directly. So the laws aren’t about protecting you from the bad actors, but rather about protecting the individuals whose data you possess. In other words, the laws are about protecting other people from you when you have been breached!
- Your B2B customers will impose their additional requirements on you.
If you’re a B2B company, your business customers are going to be asking you to follow the same set of rules or policies they have to follow or have set up for themselves. In effect, your customers are expecting you to be as secure as they intend to be.
When it comes to requirements, your B2B customers will speak for themselves. Government is becoming a proxy for your B2C customers.
- There are other existential threats directly to your business.
With security, there are threats that, while they do not put you in direct violation of regulations, represent existential threats to your business including loss of funds and literally being shut down because bad actors have frozen your IT assets until you pay the ransom.
Like any of the legacy core business practices, security should be treated as a virtue, as it can improve the very sustainability of your business with the added benefit of legal compliance.
True protection begins with treating cybersecurity as a fundamental component of your entire risk management process. It requires commitment from the business leadership to address it, to make plans and policies around it and to talk to your workforce about cybersecurity being everybody’s business. And while there are multiple cookbooks for security best practices, we encourage you to find an expert to ensure that your security needs are understood and your security program is meeting your business needs.