Operating a website as part of your business is an excellent way to get people interested in what you do and attract more customers. However, having a website also makes it necessary to stay abreast of cybersecurity changes and how they may affect you. Here’s a breakdown of some of the new specifics coming soon.
More State Legislators Eye Data Privacy Laws
Until recently, California was the only U.S. state with a privacy law. However, that changed when Virginia followed suit with its Consumer Data Protection Act. It’ll come into effect on January 1, 2023. That means any business owners affected by it will need to make proactive preparations throughout.
New York’s governor also has similar plans. Recently introduced Bill S567 would allow people in New York to opt-out of companies selling their data and learn what kind of information specific companies sell to third parties. If passed, it would come into effect 180 days later. That means it could trigger changes in 2022.
An address about the intentions clarified some of the other privacy and security measures in the pipeline. For example, businesses engaging with New Yorkers would have to disclose the purpose of their data collection practices and that companies could only gather information for those stated reasons.
Data privacy and cybersecurity are not interchangeable subjects. However, they’re interrelated. Consider the example where you get a customer request about the kind of data your company has about them. When a company has poor cybersecurity practices, representatives may encounter extra challenges when locating the data.
Uncertainty about the location of requested information also makes it more difficult to assess the damage caused by a suspected breach. If a company’s IT team doesn’t know the enterprise’s processes for storing data, it’ll take longer to confirm the type of material compromised.
The Internet Increases Your Reach
The data privacy law landscape at the state law level is still uncertain. For example, until very recently, Florida had legislation in the works that would have come into effect in 2022. However, it didn’t pass all the required stages.
However, the internet crosses state boundaries. No matter how you use your website to engage with customers, it’s probably counterproductive to treat customer data differently once you confirm someone resides in a place with an active privacy law.
The more practical approach is to adjust your data collection processes to align with all active privacy laws. Then apply them to everyone, regardless of a person’s location.
The good news is that the privacy laws in effect and under consideration have numerous similarities. Getting familiar with them and making the necessary changes now reduces the adjustments you may have to take as future privacy laws pass and apply to your business.
If you’re unsure how close your company is to fulfilling all applicable laws, consider budgeting to get a consultant’s opinion. That professional can identify any shortcomings and recommend the most effective ways to address them.
People Will Get More Proactive About Solving the Cybersecurity Skills Shortage
The lack of sufficient cybersecurity talent is not a new problem. Statistics indicate that it could cause 1.8 million open positions in 2022. A more recent revelation, though, is that cybersecurity talent shortages could lead to national security problems. That’s especially true with hackers making more attempts to compromise crucial infrastructure.
Federal lawmakers hope to tackle cybersecurity talent needs by establishing the Civilian Cybersecurity Reserve. It would let government officials temporarily call upon people with cybersecurity expertise to serve in short-term government roles without sacrificing their non-government employment. The people involved in establishing that task force intend to either introduce the measure as part of a 2022 defense policy bill or as a standalone measure, reports suggest.
There’s also progress happening on a similar endeavor called the Civilian Cyber Security Reserve Act. It would establish a pilot program and invite people who formerly served in the military or worked in the federal government to assist with mitigation measures after large-scale cyberattacks. More specifically, participants would aid the Department of Defense and Department of Homeland Security.
Securing Your Website During the Shortage and Beyond
It’s undoubtedly positive that people at the federal level have considered new tactics for addressing the skills shortage. That said, the progress in that area may not directly impact your website. However, you can significantly reduce the likelihood of suffering a cyberattack by getting more proactive about the things within your control.
Creating an organizational cybersecurity policy is an excellent place to start. It could include aspects like access control measures, data retention and encryption procedures, risk management and cybersecurity education for your workforce.
Perhaps it’s not feasible to hire a full-time cybersecurity expert at your business due to the skills shortage or otherwise. If so, consider going through internet security checklists to see where weak points exist. For example, the National Institute of Standards and Technology (NIST) has a free cybersecurity framework and related resources to help company leaders assess where there’s room for improvement.
Personal responsibility is another crucial part of an effective cybersecurity strategy. Some people at a business may view internet security as outside of their realm of influence. That’s especially likely if they’re not in a role that directly deals with cybersecurity. However, everyone at your organization almost certainly uses work-related passwords and relies on computers for at least some tasks.
Aim to establish cybersecurity as a cultural norm at your company. Emphasize that everyone plays a role in following best practices that safeguard against hacks, leaks and other unwanted consequences. Making cybersecurity an ongoing commitment at your company will boost the organization’s resiliency. It should also increase trust among your current and potential clients.
Vendors Working for the Federal Government Must Follow Stricter Cybersecurity Rules
U.S. President Joe Biden recently signed an executive order detailing his extensive plans falling under the umbrella of an initiative called Cybersecurity For All. Most of the content relates to strengthening the government’s internet security and tightening the rules for contractors who work with government departments.
If your company currently has government contracts or you plan to bid on some opportunities soon, some Cybersecurity For All measures will almost certainly apply. For example, within the next 180 days, contractors can expect new software supply chain rules. Additional procedures will also come into force about contractors’ responsibilities when reporting data breaches.
However, some parts of the Cybersecurity For All efforts span beyond federal contractors. For example, members of a proposed Cyber Safety Review Board will meet following significant breaches affecting federal and non-federal entities.
The outcomes of such meetings could shape the measures both large and small companies take moving forward to avoid becoming targeted by online criminals. Staying up-to-date about current cyberattack trends and preventive measures will help company leaders prepare instead of getting caught off-guard.
Cybersecurity Investments Translate To Competitive Advantages
You may conclude that any measures intended for federal contractors don’t apply to your business now. Even if that’s true, it’s still wise to continually invest in cybersecurity. Doing that sends a strong signal of reliability to people who may consider working with you.
Devoting resources to cybersecurity also lowers the chances of suffering an attack that could significantly decrease your company’s productivity. In Ireland, the national health service recently got hit with a ransomware attack. Decision-makers did not pay the demanded amount and said they could restore much of the compromised information with backups not affected by the attack.
However, some estimates suggest it could take weeks or months before all systems operate normally again. Those are the timelines despite substantial numbers of people working to restore service. You can imagine how much more severe a similar situation would be for a small business that had most of its online infrastructure affected and did not have the benefit of dozens or hundreds of IT specialists working to fix the problems.
Failing to prioritize cybersecurity now will likely cause preventable problems for your company down the line. Online criminals orchestrate devastating attacks with eye-opening regularity. You only need to do a quick internet search to find information about instances that occurred within the last week or two throughout various industries.
Assuming that cybercriminals will not target your business could cause disastrous outcomes. The best approach to take is to minimize your risk with proactive strategies recommended by cybersecurity experts.
Safe Harbor Provisions Begin Affecting Organizations’ Data Breach Liability
All states have notification timelines that apply when telling affected parties about a data breach occurring at a company. However, a more recent trend concerns so-called “safe harbor” provisions that could come into effect to protect a breached business from potential lawsuits.
So far, only Ohio and Utah have them in effect. However, some cybersecurity analysts believe similar measures may be on the way in other states. The idea is that some companies can assert that they had sufficient cybersecurity measures in place before a breach happened. That claim then becomes part of their defense against certain litigation stemming from the incident.
In Utah, the law describes “reasonable” cybersecurity controls and details the measures people must have taken to avail of the safe harbor defense. For example, they must follow one of several listed frameworks when designing a cybersecurity program. Ohio’s stipulations are similar in that they require abiding by one of several frameworks. However, the law also recognizes that a company’s cybersecurity program may differ depending on a company’s size, activities, resources and various other factors.
An Incentive To Take Cybersecurity More Seriously
Many cybersecurity and legal analysts agree that the safe harbor laws should encourage business owners to view cybersecurity as an issue that matters to them. Moreover, choosing and following a widely recognized cybersecurity framework could reduce liability caused by future internet security issues.
Maybe you don’t operate a business in one of the states with safe harbor laws. Even so, it’s smart to think about selecting one of the suggested frameworks and using it to steer your cybersecurity efforts.
It’s often challenging to decide where to start when making cybersecurity improvements. Using a framework could be both an eye-opening and uplifting experience. You’ll probably find numerous areas where your company is already doing well from a cybersecurity perspective. However, there will be things to work on, too. Assessing where your company is now will help you plan to boost the organization’s cyber preparedness.
You can also get feedback from staff members about any cybersecurity weaknesses they may notice. People have different perspectives depending on their roles within the company, so talking with them may reveal some internet security weaknesses you hadn’t previously considered.
Prioritise Better Cybersecurity as an Ongoing Business Goal
The above discussions detail some of the changes you can expect that’ll likely affect cybersecurity for the rest of this year and into 2022. However, even if you don’t think they directly apply to you, now is a great time to treat cybersecurity readiness as something that’ll strengthen your company now and for the foreseeable future.