Cybersecurity is gaining attention for all the wrong reasons and legislative bodies at the state and federal level are taking notice. The EU’s GDPR went into effect years ago which effectively legislated the adoption of more stringent cybersecurity controls, leaving the U.S. behind, and giving the right impression; U.S. organizations were the easier target for a mugging. Given the recent Colonial Pipeline hack Congress is now taking a serious look at Cybersecurity responsibilities.1
To appreciate the predicted future, we need to look at what some states have been doing to get ahead of the problem. In the U.S., the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA enhanced data protection standards in California, expanding the definition of personal information and providing GDPR-like rights to consumers. Virginia is the second U.S. state to offer similar rights to consumers by passing the Virginia Consumer Data Protection Act (VCDPA). This goes into effect on January 1, 2023, with other states planning to follow suit.
Additionally, New York passed the SHIELD Act strengthening data security protections2. The New York Department of Financial Services raised the bar for financial services companies regulated by New York State, imposing specific requirements3 around cybersecurity compliance.
The NIST Cybersecurity Framework: For New/Previous Users
You may already be arguably positioned to accommodate new legislation because you are currently familiar with and applying practices to meet existing legislation, industry mandates or business partner requirements. But if you are not or are part of the countless others for who this will be a new experience, there is some good news. For the most part, all the legislation in the U.S. and industry/business mandates rely on the same resource in their efforts; the NIST Cybersecurity Framework.
Reducing Risk
In 2014 the NIST Cybersecurity Framework4 was created. This framework is highly leveraged within the cybersecurity discipline to manage risk by providing a methodology, guidance, and best practices on how to measure and mitigate those risks across a wide set of security concerns. It is thorough, detailed, and you can get lost in the weeds; but even a cursory review and application of what you see will help reduce your risk.
At a high level, the NIST framework groups cybersecurity concepts into 23 categories with underlying technical domains in areas such as:
- Access Control
- Systems & Communications Protections
- Identification & Authorization
- Physical Security
- System & Information Integrity
Benefits & Guidelines
A thoughtful and honest review of each of the categories and domains against your own operations will help organize your approach and identify areas of opportunity to make improvements. Those improvements may take the form of new technology, but more frequently, drive better policies and procedures of existing resources.
The “Incident Response” domain may simply contribute to management dialogue on ransomware and guiding the user on business and technical concerns, such as:
- How would we become aware of an attack?
- Who manages the response?
- What methods are available to us to recover?
- Do we negotiation and what payment policies do we follow?
- Should we acquire Cyber Insurance?
- Who controls messaging to clients?
In present time, legislation may seem heavy handed and simply intended to create more busy work, hand wringing, and CYA; but the intention and goals have virtue and real-world benefits. If the integrity, confidentiality and availability of your business data, IT operations and reputation are of value this is simply a business function and cost of doing business, which requires your attention.
How Focus Can Help
This does not need to be viewed as an onerous burden. Focus Technology has been helping clients take measured steps to prepare or respond to legislation and/or simply work to achieve more secure business operations for over 20 years.
If you would like to discuss further? Contact me directly at sfurlong@focustsi.com
Citations:
- The Cybersecurity 202: Congress is tiring of the ‘don’t blame hacked companies’ line (msn.com)
- https://www.nysenate.gov/legislation/bills/2019/s5575?_hsenc=p2ANqtz-_uswR3Gh-vfd-Mq2IdGzHXs0AyFQ8oTSYRNpK_IEbZyYdV-AuVZVRe_1zcun4i8wPSv8Bs
- https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=%28sc.Default%29&_hsenc=p2ANqtz-_uswR3Gh-vfd-Mq2IdGzHXs0AyFQ8oTSYRNpK_IEbZyYdV-AuVZVRe_1zcun4i8wPSv8Bs
- https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework