Many small to mid-sized, and even some large organizations, believe that their cybersecurity technology is the end-all, be-all to protecting their customer and employee data.
Among these organizations, rarely is there a holistic, documented process addressing security and data protection. The plan is the technology and the technology is the plan — end of story.
But this technology-only approach is extremely short-sighted. In this day of increased cyber-related criminal activity, and data breaches, these companies are violating the foundational tenet of information security: a multi-step risk management process.
It’s not just about tech — and not just about IT
Security technology is a solution that addresses specific risks to data. But what if a company has not identified all the risks? Or worse yet, what if the company doesn’t even know where all their sensitive data is? You cannot protect data you either do not know you have or do not know the location of.
First, companies need to identify which assets hold sensitive data, any and all threats to those assets, internal vulnerabilities, potential impacts to your business if those assets were indeed compromised, and possible controls (or solutions) to address the risks.
If done right, the risk management process adopts a holistic approach covering the entire business — people, process, and technology.
Companies ignore this at their peril. Based on Ponemon Institute’s current average estimated cost of $258 per record to resolve a data breach, it makes much better business sense to proactively incorporate a holistic approach into the fabric of a company — before waiting for a blind spot to be breached.
Consider the legal landmines
Secondly, the technology-only approach may cause companies to unknowingly break the law and open their doors to government investigations, enforcement actions, or lawsuits.
On a federal level, the U.S. historically has an industry-specific approach when it comes to laws regulating the safeguarding of Personal Identifying Information (PII) — HIPAA for healthcare and the GLBA for the financial industry, to name a few.
However, due to the mounting risks to consumers, some states have taken up the mantle by enacting private-sector data security laws. The number of states who have passed cybersecurity laws have nearly doubled within the last three years.
Some states (Alabama, Florida, Kansas, and Maryland for example), make it explicitly clear that these laws even apply to solo-preneurs. Violations could lead to prosecution or lawsuits.
Furthermore, state and federal unfair trade practices laws are now being used by state attorney generals and the Federal Trade Commission to regulate data security practices.
A common theme emerges: companies need to implement and maintain reasonable security procedures and use a risk-based approach to determine what security measures to implement. That includes administrative, technical and physical safeguards – not just technology.
No company is too small to start
Beyond potential negative consequences, startups and small businesses should also consider the business upside of a risk mitigation strategy.
If a company plans to do business with large corporations, seek capital from investors, or sell to another company, these actors are increasingly more conscientious of security risk. It’s becoming more likely that evaluating a company’s security process will become a customary part of the due diligence process.
The good news is that the complexity of the approach depends on the complexity of the company, so a solo-preneur’s information security plan will be easy compared to a 200-employee company. The key is following simple steps:
- Document the requirements of the data security and privacy laws that applies to your company in every location you operate
- Identify the types of personal data your company collects and map its flow through the business
- Inventory all relevant assets (e.g. hardware and software)
- Do a risk assessment
- Use all the information you’ve gathered to create a comprehensive written information security plan that includes administrative, technical and physical safeguards
AdoLisa Ezeagu, Esq., CIPP/US is the managing attorney of Ezeagu Law Firm LLC, a boutique data privacy and cyber risk law firm. AdoLisa helps companies comply with privacy and cybersecurity laws and build legally-defensible programs. She will share more on this approach in an upcoming free Lunch and Learn on April 17.
Note: The contents of this article are for informational purposes only and are not intended to be, nor should it be, interpreted as legal advice.