Critical Steps Companies Must Take to Comply with New York’s Cybersecurity Rules – Ethical Boardroom

Winter2017New York’s Cybersecurity Regulations went into effect on March 1, 2017 and their impact could reach farther than you think — including to small and mid-sized companies that do not do business in New York and are not in the financial services industries. And, they require direct involvement by the Board of Directors. Is your company ready?

In my latest Ethical Boardroom article, I explain

  1. how these Cybersecurity Regulations can impact businesses of all sizes, in all industries, and all around the world,
  2. what specific steps regulated companies must take to be in compliance with the Cybersecurity Regulations, and
  3. what these Cybersecurity Regulations mean for nearly all companies.

Here is the full article from the Winter 2017 edition (page 140) which is available with free registration to the Ethical Boardroom website: Getting to Grips with New York’s Cybersecurity Compliance Rules

Here are other Ethical Boardroom (@EthicalBoard) articles that I have written that are also available for free:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Critical Cybersecurity Steps Your Company Must Take

I have presented at several cybersecurity conferences over the last few weeks and have had an opportunity to listen to and talk with some of the most highly regarded experts in this field. This includes experts from the FBI, Secret Service, private industry experts and many others.

The message I have heard over and over from all of these people echo these three things that every company must be doing to protect itself right now. To me, this means they qualify as “critical” for companies to be more secure. Obviously, there’s a lot more that companies should do and I’m sure many people have their own thoughts as to what these three may be, but these are the three I have heard over and over:

  1. Train all employees to recognize and resist falling for phishing emails.
  2. Use multi factor authentication.
  3. Use adequate logging to detect intrusions and unauthorized activity in your network and maintain the logs for an adequate period of time. Statistics show the average time before an intrusion is discovered is 205 days. The logs will be cruicial in any investigation so you need to retain them for at least that long.

UPDATE: After I posted this article on LinkedIn, my friend Jim McConnell who knows more about third-party risk and supply chain risk management than probably anybody else I know, posted the following suggestions for this post. As usual, Jim is spot-on and would like to share Jim’s insights with you:

jim-comment

The post is HERE and I would encourage you to join in the discussion — after all, we are all learning from each other as we go along and conversations like this are a great way to do it!

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

What did Sun Tzu teach about data security?

Sun Tzu: The Art of WarSun Tzu taught that, when it comes to data security, you must be wary of your business associates and other third parties.

Why?

Have you heard of the national retailer that what was hit with a perfectly timed cyber attack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? That company has now spent over $61,000,000 as a result of the data breach and will spend much more. It is facing new lawsuits weekly, its net earnings are down, earnings per share are down, and its sales are down. The company is Target. Target, however, was not attacked directly.

Do you know how Target’s computer system was attacked?

Cyber criminals launched an email spear phishing campaign at Fazio Mechanical Services — Target’s third-party HVAC vendor — and someone at Fazio opened the email, clicked on the link giving the criminals access to their system where they sniffed around until they found the login credentials that Fazio used to log into Target’s vendor portal, which they then used to gain access into Target’s computer system.

What did Sun Tzu teach us about this technique?

In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.

You can be sure of succeeding in your attacks if you attack places which are not defended.

The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.

Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.

Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.

Be wary.