Pratum Blog

Finding the best approach to security risks within your business.

Business is all about taking risk. Some risks will pay off, while others will come back to haunt you. Unfortunately, there’s no crystal ball to know which risks will be worth the potential danger.

The same can be said about cybersecurity.

Protecting your business from cyber-threats can be costly and time-consuming. There comes a point when a business goes too far to protect itself. Not every organization needs every security measure known to man. You have to determine what level of risk makes sense for your situation.

We’ve come up with some questions every business leader should ask themselves when determining what cybersecurity protection you need.

1. How Do I Determine Risk?

Every business has a certain level of risk they can tolerate before it threatens the future of the company. Determining risk is all about finding your unique tolerance level.

Look at the information your company is storing. Do you have client or employee personal information? Do you have intellectual property such as R&D, patents, etc.? Do you have access to your vendors’ critical information? Then, determine how that information is being protected.

Security professionals should be able to identify, document and explain the various security risks related to the use or storage of this information for you.  However, you as the business leader should make the decisions about how much risk to take.  Savvy leaders must consider all the risks, then sort through the noise to determine what really impacts business operations.

2. How Much Protection Is Appropriate?

Some risk is good! Risking investments to make money can earn you even more money. Taking on a new product no one else is trying could pay off with a new opportunity in an untapped market.

Knowing what level of protection your business needs is all about knowing your business well. If you pay for a lot of cutting edge security technology your company does not need, you might be losing money your business could use to grow. Over-protection might be the downfall of your company.

Consider this: If you live in a brick home in a wet climate, you are far less likely to face the risk of fire damage than a wooden home in a dry climate. Buying a robust fire insurance policy for the home in the wet climate would be a waste of money. Not having enough coverage for the wooden home would be too risky. Each home should have a plan designed for its needs.

Cybersecurity should be approached in the same way. The level of risk you can handle is always going to be dependent on the situation your business is currently in.

3. Am I Following the Crowd?

Getting advice and guidance from colleagues is a great way to stay up to date with the latest technology trends and threats. Those resources can be invaluable. However, following the crowd too much is dangerous. “Best practices” are not always universal truths when it comes to cybersecurity.

Having the same cybersecurity protection as everyone else may sound safe, but it’s not going to be the perfect fit for your company. Keeping up with the specific needs of your organization is your responsibility. There should be constant communication and analysis of your cybersecurity operations.

At the end of the day, it’s up to each business leader to decide what makes sense for their own company's interests. Consultants and colleagues can give great advice and valuable wisdom, but the final say needs to come from company leadership.

4. Do I Need Any Cybersecurity Protection?

Yes, but it varies. While you may not need as much protection as your neighbor next door, you always need to have some safeguards in place to protect your business. The three pillars of information security are confidentiality, integrity and availability. While each of these is important to every business, the blend that works for you will be unique.

Cyberattacks happen every day, and they target all levels of organizations. No matter how big or small your operation is, there are hackers looking to gain access to the valuable information you possess.

Risk What You Can, Protect What You Must

You will never be able to eliminate all risk. It would be too costly, and you would never accomplish anything! People take risks every day. Driving to work or eating food could be potentially dangerous, but some risks are more necessary than others. Some need to be more documented and calculated.

We all have a risk tolerance level, and so does your company.  Tolerance levels will fluctuate with changes in the industry, new cyber threats, and evolving leadership.  Recognize and understand these dynamics so you can stay ahead of the risks your business will face. 

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) has been in effect since the beginning of 2020. This new legislation requires certain businesses to disclose what personal data they hold to customers requesting that information. This is considered a landmark piece of legislation to secure California residents’ privacy rights. While it’s still unclear how much this legislation will impact businesses, there are rights set in place for what consumers can expect.

New Rights for California Consumers:

  • Knowing what personal information is collected, used, shared or sold.
  • Having the right to delete personal information held by businesses, and by extension business’s service providers.
  • Exercising the right to opt-out of sale of personal information. (Children under 16 must provide opt-in consent. Children under 13 need parental or guardian consent.)
  • Having the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills.

Another way it could impact more than just California residents is that some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just the ones who live in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.

How CCPA Compares to GDPR

While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.

These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.

The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.

Federal Privacy Law Potential

This sort of universal legislation may be something we see in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.

This possibility of federal privacy laws resembling the CCPA or GDRP is growing more likely after two U.S. Senators proposed legislation that would be stricter than the CCPA in some respects.  According to the Brookings Institute, Senator Roger Wicker (R-MS) and Senator Maria Cantwell (D-WA) proposed bills that place stricter limitations on algorithmic decision-making, biometric data, and data minimization.

Federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.

Concerns Over Privacy Legislation

As with any significant change, there are some concerns being raised over the stricter privacy laws. One case out of Germany shows why the concerns may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.

That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.

A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling. This sort of extra information was concerning to some customers. In short, the business wanted more private data to release the customer’s private data.

It appears to be a cyber security cycle that organizations are still trying to figure out. What is designed to help protect your data could put you at risk of exposing even more personal information.

What You Can Do

Being that this legislation is so new, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers.

Even if you’re not proactive with privacy for a business boost, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.

Here are a few steps your business should be taking now to get ready:

1. Designate a privacy officer, someone in charge of organizing the process to become compliant.

2. Be externally compliant. Update your privacy notice on your company website.

3. Think about data inventory. Know where information is located within your system.

4. Figure out how you will be able to obtain and report customer information when requested.

5. Decide on a verification process to ensure the data your giving out is to the correct person.

Figuring this all out may not be easy but getting to work on it early could save you a lot of issues and headaches later. Regardless if it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.

If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process.

(References: https://www.cnet.com/news/californias-new-ccpa-privacy-rights-could-come-to-your-state-too/
https://www.brookings.edu/blog/techtank/2019/12/19/highlights-the-gdpr-and-ccpa-as-benchmarks-for-federal-privacy-legislation/)
https://www.reuters.com/article/us-amazon-data-security/amazon-error-allowed-alexa-user-to-eavesdrop-on-another-home-idUSKCN1OJ15J)
https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html)
Rowing Team working together for a common goal.

In the early 1980’s Ford Motor Company’s slogan was “Quality is Job 1”. That mentality was born from Ford’s President, Philip Caldwell, who believed the only way to compete in the automotive industry was to stop pushing out large quantities and focus on the quality.

That change made a big impact. The slogan lasted 17 years and helped make Ford one of the top auto makers in the world. The reason that initiative worked for Ford wasn’t just because it was a catchy phrase. It's because the mentality behind it was embraced by every level of the company. From janitors to the CEO, everyone believed in the message.

For your company to have a successful cybersecurity program, you also need the whole team to get on board!

Why Does Company-Wide Cybersecurity Matter?

According to the Verizon Data Breach Report in 2019, one-third of breaches had a social engineering component. Meaning, the people inside the company, and sometimes outside, are a big part of the problem. Without education or training, employees may open dangerous emails, allow a stranger into the building, or give away private information on the phone. Hackers have become savvier and increasingly rely on exploiting human behavior. That means business leaders and employees need to be constantly adapting with the times, as well.

A significant breach of your company could be detrimental. Not only could it cost the company money, it could also cost people their jobs. That’s why, as business leaders, you need to start the cybersecurity conversation as soon as possible.

It’s More Than Just Training

There’s a difference between training and awareness. Training is the initial education activity. Awareness is an ongoing reminder.

Training is important in cybersecurity because hackers are always evolving, and it’s crucial to stay on top of the latest trends and threats. However, it’s not going to be the most important key to keeping your business safe. What really sticks with people is the connection they feel with the message. Just like Ford, you need all levels of the company to understand and support the mission of cybersecurity.

Take manufacturing plants for example. All plants should have a safety coordinator on staff checking for issues and coming up with incident prevention plans. A company whose leadership believes in that mission, and promotes the health and safety of their employees, will have a lower accident rate!

On the flip side, if a company’s top executives are primarily concerned about profit they will eventually see the effects of that with more dangerous incidents on the job.

Employees need to know the leaders in the company care. They need to see the highest level of executives spreading awareness by continually talking about things like governance policies and avoiding scams. If their boss doesn’t seem interested in cybersecurity, why should the average employee go above and beyond?

Lead by Setting an Example

If you talk the talk, you better be ready to walk the walk. Business leaders should have the same set of guidelines as the rest of the company when it comes to cybersecurity. If an executive opens a phishing email and compromises company data, they should face the same repercussions anyone else would.

That brings up another point many businesses fail to address. There need to be set consequences for not following cybersecurity protocol. These rules should be discussed openly, and not following them should be taken just as seriously as safety or money violations. Leaving your company vulnerable to a data breach is the same as leaving a cash drawer open in public. People at all levels can compromise the company’s security and they should all be held accountable by the same standards.

Cybersecurity is a Culture Issue

For people to care about cybersecurity, they need to feel a personal connection. If you can show them how their actions impact their own livelihood and their peers’, they may feel more convicted. Try to create a personal connection to the value of cybersecurity.

A good example to share with employees is someone who has access to their personal data. If you know a business or medical provider has your sensitive information stored in their system, don’t you hope the employees there are protecting it? Like public health, cybersecurity is just as much for the employee’s protection as it is for the communities’ safety. Everyone should try their best to keep data protected; whether it’s their own, a colleagues’, or a stranger.

You can't force people to care. Employees must buy into the importance of the mission for it to sink in and work. As a leader in the company, you need to make it a core value everyone appreciates.

One Size Won’t Fit All

Trying to decide how often to do cybersecurity training, or when to discuss awareness campaigns, really depends on your business. The frequency and delivery vary on the risk to your organization, job duties of each employee, and the technology the employees use. There are so many factors to consider, which is why it’s best to analyze your own situation thoroughly before starting cybersecurity initiatives without much thought. It’s all about determining risk and addressing those concerns through a prioritized approach.

There also needs to be follow through. Don’t just slap on some policies and forget them. Cybersecurity needs to be continually evaluated and at the heart of what you do every day. It needs to be just as important as the rest of your business to become a part of the culture. Without people buying into the message and mission, you will always be at a higher risk of a cyber-attack.

(References: https://www.autonews.com/article/20160629/RETAIL03/160629819/robert-cox-ad-man-behind-ford-s-quality-is-job-1-pitch-dies
https://enterprise.verizon.com/resources/reports/dbir/)
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.