Here”™s a confidential one question quiz that you can do in your head and not share with any customer, client, shareholder, government regulator or future plaintiff.
- How is your business cybersecurity program?
a. What”™s a cybersecurity program?
b. We have never really thought about cybersecurity.
c. It is good on paper but not in real life.
d. It is good in my mind and verbally, but it”™s not written down
e. We have someone in charge on paper, but not really.
f. Cybersecurity is taken care of by our IT provider (or other third party), we don”™t have to worry about it.
g. We have good cybersecurity documentation, we follow it and continually assess and improve upon it.
You can probably guess the best answer and see how others are problematic.
Good management principles should extend to technology and cybersecurity. If we manage information assets well then we can prevent a crime, stay in compliance with legal requirements and improve efficiency.
Cybersecurity program vs. policy
Some things need to be written down regarding cybersecurity and they should establish the organization”™s general rules and practices regarding cybersecurity.
The organization will need to continually work on this by devoting some degree of people and resources to it. One way to think of this is by having a policy that establishes a program which the organization works on continually. That work will never end.
There is room to debate about what is a “program” and what is a “policy” and how the two overlap and diverge. But better to skip that debate. General organization rules can be called “policies” and those policies can establish activities in compliance with those rules, and those activities can be called a “program”.
Review and consider what your cybersecurity documents are (and should be)
Now is a good time to review what documents you have and how they can be improved.
Your cybersecurity documentation should:
- Comply with applicable laws and regulations
- Be practical and helpful
- Be clearly written and understood by all organization employees
- Be the right length and level of detail
- Establish internal management for information assets
- Follow cybersecurity best practices
- Designate who does what
- Include a written incident response plan.
This short list gets you started and as priorities and time allow you can consult a more detailed policy checklist.
What do you have currently?
Inventory what documents exist, when they were last reviewed and updated, read them and see how they can be improved. The goal is to maintain living documents that are reviewed, followed, updated, and improved.
If you do not have any written cybersecurity documentation at all, then the top priority on your list should be getting them in place (while ensuring quality).
If your organization lacks legal or cybersecurity expertise in-house, then hiring an expert can bring efficiencies. Otherwise, it can be an extensive and time-consuming journey of learning. For the smallest organizations that lack the resources to hire experts I created an excellent free cybersecurity policy which helps them get started. It covers essential aspects of a policy and program in plain and practical language, includes an incident response plan plus direct links for additional reading and resources.
A solid cybersecurity foundation built on knowledge
To learn more about the cybercrime attacks that could happen if cybersecurity is not strong enough, read my prior Westfair articles on the three priority threats of data breach, ransomware, and email-based frauds.
Legal requirements in the cyber realm exist as laid out in my prior articles on cybersecurity laws for business and privacy.
A general overview of cybersecurity for your business helps, and consider the four pillars of cybersecurity. Good policies are important and have legal significance, and every business should analyze five components that impact them.
Conclusion
Every organization needs a cybersecurity policy and program to effectively manage and improve their cybersecurity posture and information assets. Well managed organizations extend good governance to information assets, including people, computer devices, data, and networks.
If your organization has not gotten started or has not done a recent review of its cybersecurity program and policy, now is the time.
John Bandler is an adjunct professor at Elisabeth Haub School of Law at Pace University who teaches about law as it intersects with cybercrime, cybersecurity and privacy. He is ”‹the principal and founder of Bandler Law Firm PLLC, a law practice that helps organizations navigate these areas. Visit his website: johnbandler.com
