If one thing is clear from President Obama’s recent State of the Union road show, it’s that cybersecurity will be a priority for his administration this year. This shouldn’t be a surprise, as 2014 was a year of massive breaches, from hacks targeting JPMorgan Chase and The Home Depot to the North Korean attack on Sony Pictures Entertainment.
While you may not need to protect your small business against threats from foreign powers, there are plenty of more common cybersecurity dangers, and that’s why Obama has pitched the Personal Data Notification and Protection Act. The new legislative proposal outlines the obligations the administration believes companies have to notify customers of breaches, including a 30-day notification requirement, and creates a national notification standard, replacing the current hodgepodge of state rules.
On February 13, Obama signed off on an executive order requiring private companies to share more information about cybersecurity threats among themselves and with the federal government. It’s never too early to consider what it might mean for your small business.
What the proposal means for you
The president’s proposed legislation is designed to bring peace of mind to consumers, but concerns have been raised about its scope and cost. Many small businesses don’t have the infrastructure or resources for sophisticated cybersecurity systems. Monitoring for threats is costly and time-intensive, and if a breach does occur, the response is usually even more expensive, sometimes requiring forensic IT experts and crisis communications.
The 30-day requirement also poses a challenge. As shown by the Sony breach, it takes time to understand the full scope of damage, not to mention who is behind an attack and to what extent it affects customer data. From a crisis communications standpoint, there are drawbacks to jumping the gun and announcing false or incomplete information.
As a result, small businesses are faced with the prospect of finding cost-effective ways to meet the government’s new cybersecurity rules if they pass through Congress. To prepare for the new requirements, it’s important to consider implementing a 360-degree plan, paying particular attention to the following actions:
1. Establish security-friendly policies. You need to establish a cloud security policy that includes rules about device management, specifically the bring-your-own-device movement. You need to ensure that your employees have the tools to collaborate securely while at work or on the go, but there must be a framework for doing this safely. Your policy should include consequences for not following the rules.
2. Prioritize training and awareness. It’s vital that you educate employees and customers on the impact their digital behavior has on security. They need to be aware of the dangers of breach fatigue and inaction. You can enlist your human resources team to educate staff on the impact of a breach, as well as the tactics that cyber criminals commonly use.
3. Make data security a team effort. Never neglect data encryption or breach detection because you don’t have a large in-house security organization. The best and most cost-effective early warning system is your employees and customers. Make it easy for them to report any signs of a security breach.
You also should leverage expertise from managed service providers that can help evaluate your company’s security needs and implement and monitor security infrastructure.
4. Craft an incident response plan. This plan should tell employees what to do if a security breach occurs. Your incident response plan, or IRP, should include classifications of possible attacks, along with an outline of steps to take, stakeholders to contact, and any necessary crisis communication. This plan will help limit damage if a breach occurs, though it might also be worthwhile to consider cybersecurity insurance.
As helpful as the Personal Data Notification and Protection Act could be for the American consumer, the potential effects are not as clear for small businesses. Because this proposal is new, there will be debate about how many records a company must handle to be subject to the rules and whether there should be a system of compliance expense reimbursement.
The best way to prepare is to proactively implement a comprehensive cybersecurity plan that will help safeguard your business and customers, while at the same time setting you up to comply with any new federal rules.
Tom Smith is vice president of business development and strategy for CloudEntr by Gemalto, a cloud computing security company based in Austin, Texas. Smith has more than 30 years of experience with security, mobile and cloud technologies, including founding executive roles at four technology companies.
Follow On Small Business on Twitter.